If you don’t have a single account with the appropriate permissions in the two forests, adding the targetuser to a zone in another forest will require two accounts credentials. For example, you must identify accounts with the following permissions:
- An account in forest1.netthat has permission to add a user to zone1 (user1).
- An account in forest2.net that has read permission on forest2.net (user2).
After you identify the accounts with the appropriate permissions—for example, user1 in forest1.net and user2 in forest2.net—you can add the targetuser from forest2.net to the zone1 in forest1.net as follows:
Set-CdmCredential "forest1.net" "forest1\user1"
Set-CdmCredential "forest2.net" "forest2\user2"
-Zone "cn=zone1,cn=Zones,dc=forest1,dc=net" `
-User "targetUser@forest2.net" `
-login "UNIXname" `
where UNIXname is the UNIX login name of targetuser and nnnn is the user’s UID.