Why can’t an AD trusted domain local group access a NAS via SMB?

Last modified date: 2024-05-22

Applicable Products

All NAS series

Concept

AD trusted domain local groups cannot access a NAS via SMB due to the nature of MSDN specifications:

In this diagram, the NAS is an AD member server of Windows AD domain A (DOM_A) and has a forest trust relationship with Windows AD domain B (DOM_B).

In this case, the NAS identifies DOM_A as its own domain, and DOM_A’s group is able to access the NAS. The NAS identifies DOM_B as a trusted domain, but DOM_B’s group is NOT able to access the NAS. This behavior is consistent with MSDN specifications.

Solution

To allow DOM_B’s groups to access the NAS, use one of the following two methods:

For DOM_B, use the Group scope Global or Universal to access the NAS.
Join the NAS to DOM_B instead of DOM_A.
Note
Shared folder permissions may need to be reconfigured after joining the NAS to a different AD domain.

Further reading

Group scope: Active Directory | Microsoft Learn

Accessing resources across forests: Active Directory | Microsoft Learn

Was this article helpful?

Yes. No.

58% of people think it helps.

Please tell us how this article can be improved:

The article is missing important information
The article's solutions do not work
The article is too complicated
The article contains incorrect information
The article is out-of-date

If you want to provide additional feedback, please include it below.

If you want to provide additional feedback, please include it below.