ThingWorx Model Definition in Composer > Security > Directory Services > Managing Users in Active Directory > Mapping Users and Groups that Exist in Multiple Domains
Mapping Users and Groups that Exist in Multiple Domains
Users that are members of a group in a separate Active Directory domain can be mapped to their respective groups in ThingWorx by using the Forest Name Identifier option. When this field is populated with any string, a collection/forest of domain controllers is identified. Each directory service object configured with the same string will be able to map groups from each other's domain within their Group Mapping configuration.
Forest Name Identifier Value
Result
<blank> or empty string
Groups are only visible from the specific directory service object from which they are requested.
string that does not match any other directory service configuration
Groups are only visible from the specific directory service object from which they are requested.
string that matches one or more directory service configurations
Groups are only visible from the specific directory service object from which they are requested as well as from the other directory service objects that have the matching Forest Name Identifier.
Example 1: Groups visible from the specific Directory Service object being requested as well as the other Directory Service objects that have the matching Forest Name Identifier
Domain Name
Configured Groups
Forest Name Identifier Value
Visible Groups for Mapping
Domain1
Group1, Group2
<blank>
Group1, Group2
Domain2
Group3, Group4
<blank>
Group3, Group4
Domain3
Group5, Group6
<blank>
Group5, Group6
Example 2: The Forest Name Identifier on all Directory Service objects is different
Domain Name
Configured Groups
Forest Name Identifier Value
Visible Groups for Mapping
Domain1
Group1, Group2
"domainForest1"
Group1, Group2
Domain2
Group3, Group4
"DomainForest"
Group3, Group4
Domain3
Group5, Group6
"Domain Forest"
Group5, Group6
Example 3: The Forest Name Identifier on 2 of the 3 Directory Service objects is identical
Domain Name
Configured Groups
Forest Name Identifier Value
Visible Groups for Mapping
Domain1
Group1, Group2
"domainForest"
Group1, Group2, Group3, Group4
Domain2
Group3, Group4
"domainForest"
Group1, Group2, Group3, Group4
Domain3
Group5, Group6
<blank>
Group5,Group6
Example 4: The Forest Name Identifier on all three Directory Service objects is identical
Domain Name
Configured Groups
Forest Name Identifier Value
Visible Groups for Mapping
Domain1
Group1, Group2
"domainForest"
Group1, Group2, Group3, Group4, Group5, Group6
Domain2
Group3, Group4
"domainForest"
Group1, Group2, Group3, Group4, Group5, Group6
Domain3
Group5, Group6
"domainForest"
Group1, Group2, Group3, Group4, Group5, Group6
Managing Users in Active Directory
Active Directory Groups and Dynamic User Login
Active Directory Users
Active Directory Changes
Mapping Active Directory User Attributes to the ThingWorx userExtension Property
Troubleshooting Active Directory Issues
Was this helpful?