Granting membership query access

In a multiple-domain environment, TeamWork security is a little more complicated than in a single-domain environment, as shown in the following figure.

A user in Domain A can access the TeamWork application server in Domain B and open a vault as long as there is full trust between the two domains. But if there are TeamWork security roles assigned to the folder in the vault that the user attempts to access, TeamWork needs to be able to query the domain of the user to determine the user’s group memberships. In order to be able to do that, the account in Domain B under which the AutoManager EDM Server service is running needs read access to the Member Of attribute of the user in Domain A.

To grant the service read access to the Member Of attribute:

1. Install the Windows Server Support Tools on the domain controller computer of the user’s domain, if they are not installed already. The Windows Server Support Tools can be found on the Windows Server installation disc.
2. Start the ADSI Edit management console by running ADSIEDIT.MSC.
3. In ADSI Edit, right-click the domain’s DNS folder, and select Properties.
4. Click the Security tab and add the domain account under which the TeamWork services are being run. This should be an account in the server’s domain.
5. Click the Advanced button. The Permission Entry dialog box appears.
6. Click the Properties tab and check the Allow column of the Read Member Of permission.
7. Click OK to save your changes.