Establishing SharePoint access for users on a trusted domain was a great learning experience. SharePoint touches so many other fundamental services within the organization: in this case, good old Active Directory. The trust in question is an external non-transitive trust with a district office with its own domain. As a two-way trust, my users can authenticate on the foreign domain, and their users can authenticate on the local domain, where SharePoint is housed.
Authentication, however, will only get you so far. Without specific rights granted to individuals or to security groups in the foreign domain, the authenticated user could not view anything in our SharePoint environment, which is a closed intranet.
Best practice, of course, is to use security groups and/or SharePoint groups whenever possible to avoid the duplication of user management outside of AD. Therefore, I needed the names of the security groups within the foreign domain in order to grant access permissions in SharePoint. If there is a way to view users and groups from a trusted domain within Active Directory 2003 Management Console, I haven’t found it. To get around the problem, I created a folder on my desktop and did the following: right-click the folder and go to Properties>Sharing>Share This Folder>Permissions>Add.. From Locations… choose the trusted domain name. Then select Advanced to go to the Common Queries window. With no criteria listed, Find Now to get the full list of users and groups from the foreign domain.
To test the security access, I asked the administrator of the foreign domain to create a test account for me, which I then used to log on to the SharePoint site. The log on worked, and my test account was able to navigate the site pretty much as expected. The test account was placed in only one security group: the one representing the most general group: district office. Interestingly, because the group was added only to the Viewers group at the root site, this experiment did reveal some ugly situations where inheritance was inappropriately broken, causing the test account to be unable to navigate to sub-sites beyond that level.
Next steps will be to correct the broken inheritance problems, test alerts to the foreign users, and to map the foreign security groups to their local security group equivalents in order to grant permission to sites with specialized group permissions.