The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.



Go to last post Go to first unread
#1 Posted : Thursday, September 7, 2017 6:00:35 PM(UTC)

Rank: Guest

Joined: 9/7/2017(UTC)
Posts: 1
United Kingdom
Location: West Sussex

Hi All,

Our company has recently acquired another and they have been successfully using ScreenConnect - after a demo it looks pretty damn good and could solve a lot of our problems. Our team have inherited management of the system from the previous engineers whom are no longer here, so we are pretty much clueless about this product - they left very soon after getting visibility of their estate. Word has got around within the engineering workforce of this system and we are now being asked to enable its use for more staff, however they all reside in a different AD forests.

The server is installed in forest A and it now has 2-way trusts with a forest B and forest C, B & C having a large number of users residing inside.

We'd like to enable user accounts from forest B at least and possibly C. We'd really prefer to not create duplicate accounts in forest A for the sake of one system, to keep things simple. It is worth noting that at some point, we will migrate systems and users from forests A and C to B, which is our main forest and intended goal long term.

I looked on the KB and under the Active Directory set up, it just says:
Is the user on a different domain than the server? If so, try pointing the directory server to the global catalog.

If I go into the Admin\Security\Windows Active Directory section, click Options\Configure, it doesn't show me the current AD server information - is it visible elsewhere ?

The fact it mentions in the KB global catalog, suggests it may be able to do it, but if I try in the "look up user" box entries such as (FOREST-B)\(Username) or (Username)@(FORST-B UPN) it fails, which makes me think it cannot.

Has anyone else has this scenario or know if it can authenticate across multiple forests ? or are we going to have to commission a whole new install in forest B for those user accounts ?


#2 Posted : Friday, September 8, 2017 12:00:59 PM(UTC)

Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
For our User Sources, both the Windows Active Directory and LDAP methods are basically the same thing except we assume some information for the Windows Active Directory method (the computer's system account, nearest domain controller, etc).

Using the LDAP user source section, are you able to find users in both forests by pointing to the global catalog?

If not, can you find users in their respective forests by pointing to a specific DC within each?
ScreenConnect Team
#3 Posted : Monday, September 11, 2017 3:06:42 AM(UTC)

Rank: Newbie

Joined: 1/28/2016(UTC)
Posts: 37

Was thanked: 5 time(s) in 5 post(s)
We are using this functionality. We have multiple domains with 2 way trusts. You will need to point to your domain controller using the Global Catalog port. i.e. (Port 3268 for GC, 3269 for Secure GC). You should also create a service account. The account can be a USER. No Admin permissions are required.

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.