Questions regarding Sid, Sidhistory, trust and resource sharing

Q1: All except "Local" 

Q2: Nothing

Q3.1: does resource domain also have to authenticate user before granting access? Yes. 

Q3.2: Could you please explain the workflow in brief for this scenario? No, been there, done that. Read these threads

www.quest.com/.../access-token-related-query
www.quest.com/.../how-access-is-granted-by-source-domain-local-group-in-target-domain-resource-permission-acl-via-migrated-group-membership-or-via-sidhistory-or-both-and-how-exactly-access-check-is-performed
www.quest.com/.../domain-migration-access-denied-after-changing-group-type-and-resource-access

Thank you Jeff Shahan

There are 3 follow up related questions.

As per thread: https://www.quest.com/community/migration-manager-for-ad/f/forum/31586/access-token-related-query

Q1: You mentioned  - In an inter-forest logon with an external trust, only the universal groups from within the trusted domain are included. But in above reply there is no such difference between forest trust or external trust in terms of group scope. Kindly clear this out and explain statement "only the universal groups from within the trusted domain are included".

Q2: You mentioned - 

When you try to access a resource on a remote server, that server will authenticate your request, following the same path as above.

• Domain User
• Server's Local Groups
• Server's Domain Local Groups
• Authenticating Domain Global Groups and Forest Global Groups

So just want to confirm that  "Authenticating Domain Global Groups and Forest Global Groups" means user's logged on domain not resource(remote server) domain. Correct? 

Q3: So does it mean that authentication via resource domain occur because of server's Domain Local groups and server's Local groups only?

Please clarify above mentioned related queries. 

Thank you Jeff Shahan

There are 3 follow up related questions.

As per thread: https://www.quest.com/community/migration-manager-for-ad/f/forum/31586/access-token-related-query

Q1: You mentioned  - In an inter-forest logon with an external trust, only the universal groups from within the trusted domain are included. But in above reply there is no such difference between forest trust or external trust in terms of group scope. Kindly clear this out and explain statement "only the universal groups from within the trusted domain are included".

Q2: You mentioned - 

When you try to access a resource on a remote server, that server will authenticate your request, following the same path as above.

• Domain User
• Server's Local Groups
• Server's Domain Local Groups
• Authenticating Domain Global Groups and Forest Global Groups

So just want to confirm that  "Authenticating Domain Global Groups and Forest Global Groups" means user's logged on domain not resource(remote server) domain. Correct? 

Q3: So does it mean that authentication via resource domain occur because of server's Domain Local groups and server's Local groups only?

Please clarify above mentioned related queries. 

Q1. All forest universal groups are in the GC, and the GC plays a role in authentication. So all Universal. 

Q2: Yes, that is what authenticating Domain meant. 

Q3: Not really a valid question. 
So does it mean that authentication via resource domain occur because of server's domain membership to the resource domain. 

Jeff Shahan

Incase of external trust, if user login to trusted domain then his access token will have trusted domain's Global Groups as well as trusted domain's Universal Groups. Correct? Please confirm.

Global Catalog play an authentication role in multi domains forest for Universal Groups membership information.

Source\users will only ever have source\%global groups%, regardless of the membership of the host they login to. Additionally Source\users will only have Source (Forest)\%Universal Groups%. 

I really am done talking about this.