In Active Directory Federation Services (AD FS), a resource account is a user account that is stored in one Active Directory forest (the resource partner forest) for the sole purpose of impersonating a user account that is actively used, for example, by an employee and stored in another Active Directory forest (the account partner forest).

Resource accounts must be created in the resource partner forest so that the employee, whose user account is located in the account partner forest, can access Web-based, Windows NT token–based applications through AD FS. Resource accounts and resource groups are also necessary for claims-aware applications.

The Web resource on the resource side is protected with access control lists (ACLs) of user accounts or groups on the resource partner forest. The administrator has to create the resource accounts and add ACLs for any of the resource accounts to the resource.

To reduce administrative overhead, the resource-side administrator may configure one or more security groups, which are created in Active Directory Domain Services (AD DS), that will be used to map to incoming group claims from their account partners. A security group that is mapped to an incoming group claim that is used by AD FS is called a resource group.

You can use the following procedure to configure resource groups.

To configure a resource group
  1. In the Active Directory Users and Computers snap-in on a domain controller in the resource partner forest, create a new security group.

  2. Assign the appropriate access to this security group from the Web resource that is protected by AD FS.

  3. In the Active Directory Federation Services snap-in, create a new group claim, and in the newly created claim's properties page, click the Resource Group tab. Click the button to map the new security group in AD DS to the new group claim. At this point the new security group is referred to as a "resource group."

  4. Under Federation Service\Trust Policy\Partner Organizations\Account Partners\<accountpartnername>\, create a new incoming group claim mapping to map the new group claim and its associated resource group to any incoming group claims that come from the account partner forest.

When you map an incoming group claim to a resource group, it is no longer necessary for an administrator in the resource partner forest to create a resource account for each user in the account partner forest who needs access to the Windows NT token–based application that is protected by AD FS.

By default, AD FS configures account partner properties so that a resource partner administrator can map incoming group claims to one or more resource groups. However, you can change this default behavior by selecting one of the following resource account options: