How To Allow Logins From Different Active Directory

[CHANGE USERNAME TO westes]

I have an Active Directory tree named LAB and one named CORE. How do I
get any Domain User from CORE to have the ability to login to the console of
the domain controller for LAB?

I tried to add CORE\Domain Users into the Login Locally permission for LAB,
and that did not solve the problem. We are getting "Local Security Policy
does not allow this login".

The lab machine has no real security on its hard drives, so it's not a
permission problem getting access to any part of the drive (user Everyone is
given all permissions).

 

[Miha Pihler]

Did you modify Domain Controller group policy to allow logon locally users
from CORE domain? If you only edited Default Domain Group Policy it will not
work...

Do you have trusts established between CORE and LAB domain?

Mike

 

[CHANGE USERNAME TO westes]

Yes, I modified both the Domain Controller security policy and separately
the Domain policy to allow "Login Locally" by CORE\Domain Users.

Regarding trusts, I will need to check, but I know for example that users
from CORE do login to workstations within LAB. What specific kind of trust
will I need to allow CORE users to login to LAB domain controllers?

 

[Steven L Umbach]

Mike is correct about that the user right must be defined in the Domain
Controller Security Policy and then it should show as the "effective
setting" in Local Security Policy of the domain controller.Your trusts are
already in place within the forest even with separate trees . If still not
working I would check Event Viewer on both domain controllers to see if
there is any problems with the two domain controllers communicating. Running
first the support tool netdiag on each domain controller and then dcdiag
could give you an idea if everything is running smoothly or not. --- Steve