none
stsadm.exe syntax when adding users in a one-way trust

    Question

  • Hello Community

        When establishing a one-way trust relationship there are 3 stsadm.exe commands that have to be entered. 

        Also I don’t know why these commands have to be entered.

        But the first one is works fine:

            stsadm -o setapppassword -password password
     
        As for the second command a couple of variations exists but of those commands there are 2 that seem the best but getting the syntax correct is the problem.  For example lets say the trusting forest name and it's domain name is the same which is “
    ssite.scity.sstate.us”. Now of the following 2 commands, how would I apply my trusting forest name/domain name and which one to insert it into:

        1)
    stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:sharepointforest.com; trustedforest.com,trustedforestusername,password" –Url http://webApp

      2)  stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "trusted forest name,trusted forest name\trusted forest username,password; domain:trusting forest name,trusting forest name\username,password" -url  myWebAppUrl

        There is also a third command which I have yet to use in the sequence of these commands
    because it looks like it may have been already applied in command above:

       3) forest:trustedforestname,user1,password

        In practice when you apply permissions there are scenarios when you have to apply  permissions.  The above syntax seems to only apply to "people" so once I get that syntax right how would I change that syntax to apply to the different "groups" that those usernames will be added to?

        Thank you
        Shabeaut





    • Edited by Shabeaut Sunday, December 08, 2013 12:57 AM
    Sunday, December 08, 2013 12:54 AM

Answers

  • The syntax covers groups as well (this is just configuring how the People Picker search functions).

    The "forest:sharepointforest.com" is just where the SharePoint server resides, which in a one-way trust would have to be the trusting domain.


    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Shabeaut Monday, December 09, 2013 3:50 PM
    Monday, December 09, 2013 12:26 AM
    Moderator

All replies

  • Universal Security groups can be seen across forest boundaries. The syntax of the peoplepicker-searchadforestscommand is:

    stsadm -o setproperty -pn peoplepicker-searchadforests "forest:sharepointforest.com;trustedforest.com,username,password" -url http://webAppUrl

    Where username is the sAMAccountName from the user residing in the trusted forest.

    Here is an article about access resources in a forest trust (good for the group information: http://technet.microsoft.com/en-us/library/cc772808(v=WS.10).aspx)

    And group scope information:

    http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

    You'll want to leverage Universal Security Groups and you'll be able to see those in the People Picker with the above configuration of the peoplepicker-searchadforests property.


    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Sunday, December 08, 2013 1:56 AM
    Moderator
  • Hello Trevor Seward

        For now the domains are in different forests.

        Of the two you suggest using this syntax:
    stsadm -o setproperty -pn peoplepicker-searchadforests "forest:sharepointforest.com;trustedforest.com,username,password" -url http://webAppUrl


        Some users will be added individually but also groups will be added
    if there is a difference in syntax what changes have to be made to the syntax and if I change to the domains being in one forest instead of two how would this syntax change?

        Also regarding the syntax where it has:

           
    "forest:sharepointforest.com”

        Does the above refer to the “trusting domain” or the “trusted domain”?

        Thank you
        Shabeaut

    Monday, December 09, 2013 12:24 AM
  • The syntax covers groups as well (this is just configuring how the People Picker search functions).

    The "forest:sharepointforest.com" is just where the SharePoint server resides, which in a one-way trust would have to be the trusting domain.


    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Shabeaut Monday, December 09, 2013 3:50 PM
    Monday, December 09, 2013 12:26 AM
    Moderator