Adding users in a one-way trust environment

This chapter explains how to add a user in a one-way trust environment by using the Centrify Windows API.

To add a user in a one-way trust environment, follow these steps:

  1. Select an account in a domain that is in a one-way trust relationship with the remote forest so that the account has access to resources in both domains.

    For example, suppose the corporate domain company.corp.com is trusted by the remote domain companyDMZ.com, which is where you intend to add a user. Select an account in the company.corp.com domain that can access resources in the companyDMZ.com domain.

  2. Verify that the selected account has permission to modify a zone.

    You can use the zone delegation wizard to add this permission to the selected account. By default, if the user account is a member of the Domain Administrators group in companyDMZ.com, you have the necessary permissions.

  3. Use Cims.Connect() to connect to the companyDMZ.com domain to get the Cims object.
  4. Obtain an IADsUser object for the remote forest user that you will add to the zone.

    To obtain an IADsUser for company.corp.com using VBScript, for example, use the following code:

    u = GetObject(LDAPCOMPANY.CORP.NETCN=UserName,CN=Users,DC=wonder,DC=land) 

    If you log in as a domain user from company.corp.com, you should have sufficient permission.

  5. Get the User object by passing the IADsUser object you obtained in the previous step to cims.GetUser(x).
  6. With the User object, you can use User.AddUnixProfile() to add the zone profile.