Continuing from Part 1, we'll now set up our authentication permissions in the Resource Forest to allow users in the Accounts Forest to connect to the Exchange servers.
Setting Authentication Permissions
1.Open Active Directory Users and Computers (ADUC).
2.Under View, ensure that Advanced Features is selected.
3.In the console tree, click the OU where your Exchange Servers live.
4.Right-click the Exchange server object that you want users in the Accounts Forest to access, and then click Properties.
5.On the Security tab, do the following:
Click Add.
In "Enter the object names to select", type the "Resource Forest Exchange Auth" group name, and then click OK.
Select the Allow check box next to the following permissions:
Read
Allowed to Authenticate
Read Account Restrictions
Read DNS Hostname Attributes
Read MS-TS-GatewayAccess
Read Personal Information
Read Public Information permission
Then click OK.
6. Do the above steps on each of your Exchange servers.
Depending on the size of your environment, allow time for the permissions to replicate across forests.
**Note** In my environment, we have some "screwy" ACLs, so we had to add those perms on the Resource Forest DC's as well, just in case you hit a wall and no one can authenticate even after applying the perms.
Now choose one of the users in the "Accounts Forest Exchange Auth" Group and have them try to connect or open Outlook - they should be allowed.
Then choose a user not in the group and do the same - they should be blocked from access.
Now, you should be ready to go and secure with your Selective Trust all set!
Microsoft Enterprise Messaging tips, tricks, and general help.
No comments:
Post a Comment