Re: OU Security - best setup?

From: Steven L Umbach (
Date: 05/17/04

Date: Mon, 17 May 2004 16:13:38 GMT

Well "insure privacy" will be hard to do on a single domain. I would however
configure the Domain Security Policy to use password complexity as poor passwords are
still the biggest problem to securing resources. Also consider an account lockout
policy with a lockout threshold of no less than ten bad attempts and perhaps a twenty
minute lockout period to help deter hack attempts from within the domain. Enabling
auditing of account logon events, account management, and policy change on domain
controllers and logon events on servers is a great idea so that the security log in
Event Viewer can be reviewed for attempts of unauthorized access. If there is any
data on any server [other than a domain controller] that you do not want "sniffed"
off of the network, consider implementing ipsec policies. Only Windows 2000/2003/XP
Pro computers however can use ipsec and domain controllers must be exempt from ipsec
communications with domain members. The links below on ipsec may be helpful if
interested. --- Steve --- tips on
auditing --- tips on
domain acount/password policy

<> wrote in message
> Steve,
> thanks heaps for the information - Greatly appreciated. Is
> there anything else I should configure to ensure each
> company retains it's privacy?
> >-----Original Message-----
> >Ideally for best security for each company and to
> restrict what users can
> >"see" each company should be on it's own subnet and each
> in it's own forest
> >to accomplish what you want to do. In a single forest the
> administrators in
> >the root domain can access anything in the forest by
> putting themselves in
> >the enterprise administrator group. Of course that would
> require more domain
> >controllers - at least two for each domain is recommended.
> >
> >If you insist on using an OU for each company you can not
> restrict what a
> >user will see in My Network Places as netbios name
> resolution and the
> >browser service are totally different and foreign from
> the AD OU concept.
> >The master browser which will by default be the pdc fsmo
> role holder will
> >build a list for the whole domain. It is possible to
> restrict users to see
> >only what is in their OU if you have disabled netbios
> over tcp/ip in the
> >domain and are using only AD to locate domain resources.
> A user will not be
> >able to see another OU if he does not have read
> permissions to that OU.
> >However disabling netbios over tcp/ip is still not
> practical nor desireable
> >for most networks and ALL apllications must not rely on
> netbios over tcp/ip
> >before disabling.
> >
> >You can however restrict actual access to servers in an
> OU to certain groups
> >of regular users. You do that by configuring a GPO for
> that OU and then
> >configuring the user rights assignments for logon locally
> and access this
> >computer from the network to only include authorized
> groups such as users
> >for each company put into a security group. In addition
> configure share/ntfs
> >permissions to only have users from the appropriate
> company security group.
> >Ipsec policies can also be configured to restrict which
> computers can
> >communicate with each other, though domain controllers
> need to be exempt
> >from any ipsec negotiation policy via their IP
> addresses. --- Steve
> >
> >
> >"LukeF" <> wrote in
> message
> >news:de7501c43bc1$72917a00$a301280a@phx.gbl...
> >> Hi all and thanks in advance. I will explain my
> situation
> >> and what I'm trying to do.
> >>
> >> Current setup
> >>
> >> 1. Windows 2000 domain (domain.local)
> >> 2. 3 OU's that represent 3 different companies. (lets
> call
> >> them A, B and C)
> >>
> >> Now, these 3 companies are all part of the same group
> and
> >> therefore share resources (IT costs etc) but the
> companies
> >> are totally different organisations and therefore we
> need
> >> to nail down the security for each company.
> >>
> >> We would like to do the following;
> >>
> >> - Each OU can only access it's own servers
> >> - When browsing in Network neighbourhood they can only
> see
> >> computers in their respective OU
> >>
> >> What would be the best way to secure the OU's so people
> >> can only access resources in the company they work for?
> >>
> >> Regards,
> >>
> >> Luke F
> >>
> >>
> >
> >
> >.
> >