With multi-domain forests there is a chance of access control entries being ignored when querying a Global Catalog if domain local groups for a domain other than that of the current GC are used to secure directory objects. This can include both allowing and denying access, each of which carry risks. This is mitigated somewhat as this is limited to GC read-only operations on secured Active Directory objects, but still needs to be carefully assessed before using in multi-domain forests. There are no known issues with single-domain forests. The cross-forest user tries to query the secured object: As access is denied on this object, Dsquery reports: Object is successfully enumerated as the trusting domain local ACE is ignored. The same occurs in the scenario of granting specific access to an object that would otherwise be denied or not implicity granted. What this could affect: Unknown: Notes:
These issues arose in the scenario of a cross-forest administration domain, where there is little choice but to use domain local groups to secure directory objects in managed domains, thereby enabling access to be granted to global/universal groups across-forests.
This goes against general Microsoft recommendation, and some research has been completed to further understand the limitations.
However, to bypass the security applied to the ACE, you could target the GC query at the other trustin domain in the forest:
What this does not affect:
Replication issues. Originally it was thought that this could cause issues with replication consistency, this is not the case and only affects security on the GC.
Excerpt from 'Global catalog replication' below:
A global catalog stores a replicated, read-only copy of all objects in the forest and a partial set of each object's attributes, including the security descriptor for each object. The security descriptor contains a discretionary access control list (DACL), which specifies permissions on the object. When a user connects to a global catalog and tries to access an object, an access check is performed based on the user's token and the object's DACL. Any permissions specified in the object's DACL for domain local groups that are not from the domain that the domain controller hosting the global catalog (to which the user has connected) belongs to, will be ineffective because only domain local groups from the global catalog's domain of which the user is a member are represented in the user's access token. As a result, a user may be denied access when access should have been granted, or allowed access when access should have been denied.References:
As a best practice, you should avoid using domain local groups when assigning permissions on Active Directory objects, or be aware of the implications if you do use them. To prevent unauthorized access to global catalog data, use global groups or universal groups instead. For information about global and universal groups, see Group scope.
Global catalog replication
DNS zone replication in Active Directory
Application directory partitions
What Is the Global Catalog?
What's New in Active Directory
How to Configure Cross-Forest Administration (Exchange 2007)
Exchange 2007 Permission Considerations
Multiple Forest Considerations in Windows 2000 and Windows Server 2003
Group Scope (2003):
Group Type and Scope Usage in Windows
Accessing resources across-forests
Accessing resources across domains
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
The cross-forest user tries to query the secured object:
As access is denied on this object, Dsquery reports:
Object is successfully enumerated as the trusting domain local ACE is ignored.
The same occurs in the scenario of granting specific access to an object that would otherwise be denied or not implicity granted.
What this could affect: