Re: Transitive Trust

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 10/07/04 

Date: Thu, 7 Oct 2004 12:36:58 +0200

Domain administrator in domain B can't by default administer domain A even
if there is transitive trust between domains. For administrator in domain B
to manage domain A, he would have to be in "A\Domain Administrator" group
while by default he will only be in "B\Domain Administrtor" group... Same
goes the other way...

Transitive trust means e.g. if A trust B and A trust C then B trust C and C
trust B. But still administrator in domain B is not administrator in domain
C unless administrator in domain C designates him as such (adds him
appropriate permissions in domain C)...

In e.g. Windows NT, when domain A trusted domain B and domain C and you
required also trust between B and C you had to create separate trustees --
which made large organization hard to manage due to large number of
trusts...

You don't have to buy new domain name for separate forest. You could
implement domain e.g. domain.local or domain.ad, etc...

Active Directory Services and Windows 2000 or Windows Server 2003 Domains
(Part 1)
http://support.microsoft.com/default.aspx?scid=kb;en-us;310996&Product=win2000

Mike

"Pete" <anonymous@discussions.microsoft.com> wrote in message
news:15df01c4ac57$3dd66710$a401280a@phx.gbl...
> Thanks for the response.
>
> The domain we are going to add will be managed by external
> contractors, they will have admin rights on this domain.
> As I understand it with Transitive trusts they would
> automatically have admin rights on the parent domain, but
> if I am able to remove the trust from child to parent
> (preventing parent from trusting child) then this would
> solve the problem. Although I would (I think) have to
> remove trusts from the other child domain within the
> forest.
>
> If I did this would the trusts be automatically re-built
> by W2000? or by W2003 when we upgrade?
>
> Perhaps I'm better off creating a separate forest and
> register another domain name? It would be nice from an
> administration and name-space point of view if I could set
> this up as a child domain. Any thoughts?
>
> Pete.
> >-----Original Message-----
> >Hi Pete,
> >
> >Microsoft changed its opinion on domain being security
> boundary due to some
> >possible exploits. Now the security boundary is the
> forest.
> >
> >While transitive trust can provide easy access between
> domains (e.g. domain
> >A and B) user B will still need permissions on resources
> in domain A to
> >access e.g. shares (and the other way around).
> >So if you have a share in domain A that will allow domain
> users (this will
> >be A\Domain Users) full control, this will not allow user
> in domain B to
> >access this share. To allow users in domain B to access
> this share,
> >administrator or other user with appropriate permissions
> will have to add
> >B\Domain Users to this share and grant them necessary
> permissions...
> >
> >If you allow default Windows 2000 permissions (everyone
> full control) that
> >will allow users from domain B to access resources in
> domain A...
> >
> >Mike
> >
> >"Pete" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:1d2501c4ac4a$5f4ce9d0$a601280a@phx.gbl...
> >> Question:
> >> If I add a child domain is it ok to remove one of the
> >> trusts from the transitive trusts that are automatically
> >> generated (so child domain trusts parent but not the
> other
> >> way around) or will this be re-instated by W2000.
> >>
> >> Reason:
> >> Looking to add a domain into our name space but don't
> want
> >> administrators of the new domain to have access to other
> >> domains.
> >>
> >> Taken from Microsoft Documentation:
> >> Important
> >> Previously published Active Directory documentation
> states
> >> that a domain is a security boundary, but this
> >> documentation does not provide specific details about
> the
> >> level of autonomy and isolation that is possible among
> >> domains in a forest. Although a domain is, in fact, a
> >> security boundary with regard to the management of
> >> security policies for Active Directory, it does not
> >> provide complete isolation in the face of possible
> attacks
> >> by service administrators
> >>
> >
> >
> >.
> >

Relevant Pages

  • Re: Password Protecting/Hiding Files & Folders Remotely on Windows Server???
    ... loses their keys (hint: administrator usually do this for you if they are a ... I think it's best to go with the level of trust needed. ... We have just employed an administrator to manage this process and I ... I am currently investigating pgp - I'll see how that goes. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD and hidden admin shares
    ... Administrator come and go. ... But if you don't trust them, don't give them the abillity to do ... They're very handy tools. ... Hmm I mnot sure how these Admin shares can come in handy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Migration trust error
    ... > I understand that you were unable to establish a trust between a Windows ... it was not removed from the registry on the primary ... Log on as an administrator to the domain from the PDC. ... Highlight the SAM key. ...
    (microsoft.public.windows.server.migration)
  • RE: Error creating trust between NT 4 and new 2003 server
    ... Did you have ever trust other domain on this PDC? ... Using Registry Editor incorrectly can cause serious, ... Log on as an administrator to the domain from the PDC. ... Highlight the SAM key. ...
    (microsoft.public.windows.server.migration)
  • Re: Authentication process in Active Directory
    ... how CMS imports the user account. ... On the system side, you can use LDIFDE to export the user accounts from GC, ... >connect to all the 16 GC of each child domain to get the entire list. ... trust relationships are transitive in win2k3 domain and you can ...
    (microsoft.public.windows.server.active_directory)