Domain A trusts Domain B with its resources, thus it grants access to the people who have accounts in B to access these resources located at A.

(with the provision that those users have the proper access permissions to the resources)

Note: It only matters where the account is, not where the actual physical user is logging in from.

Microsoft Trust Concept: A G L P

Global Accounts go into Global Groups which are placed in Local Groups which get Permissions.

Note:

Global Groups can cross trusts.

Global Groups can not be granted permissions to trusts.

Local Groups function only in the domain in which they were created.

Local Groups can be granted permissions to resources.

The AGLP concept works as follows:

Global accounts should be placed in Global Groups in order to cross trusts (they could cross by themselves, but administration of groups is easier then administration of many user accounts).

Once the Global Groups cross the trust they will face the problem of accessing the resources since Global Groups can not be granted permissions to resources. Permissions can be granted to Local Groups only. Thus Global Groups are assigned to Local Groups. The permissions are granted then to the Local Group. The permissions extend to all members of the local group (individual Accounts and Global Groups).