Various services exist for managing computer networks. Such services may be configured to manage users and groups, and resources of the network that may be accessed by the users and groups. For example, Active Directory®, published by Microsoft Corporation of Redmond, Wash., is a directory service used to store information about the entities contained in a network. Active Directory® maintains a network structure as a hierarchical framework of objects. Several categories of objects exist in such a structure, including resources (e.g., printers, computers, etc.), services (e.g., email), and user-related objects such as user accounts and groups. The network structure provides various functions, including providing information on the objects, organizing the objects, controlling access, and setting security.
A computer network may be managed by such a service at various levels. For example, in one configuration, a highest level may be referred to as a “forest.” A forest includes all objects of a particular network, including all users and groups of the network. A forest may include one or more domains. Each domain may include a portion of the objects included in the forest. Further levels may be present in networks, such as “trees” (a level between forest and domain) and/or further types of levels.
Multiple computer networks may exist that each are managed as a separate forest. It may be desirable for multiple separate forests to be able to share objects, such as user accounts and groups. For example, a business entity may maintain two networks implemented as first and second forests. The business entity may desire for users in the first forest to be able to access resources in the second forest, and for users in the second forest to be able to access resources in the first forest. Furthermore, it may be desirable for user accounts in the first forest to be members of groups in the second forest, and vice versa. In current implementations, to be a member of a group in a second forest, a user account of the first forest is provided with a representation in the second forest. For example, the user account may have a security proxy in the second forest that enables the user to be a member of a security group, or may have a contact proxy in the second forest to enable the user to be included in a mail group. However, rules for determining when security proxies and contact proxies are generated, and for managing such proxies, are complex.