Re: Transitive Trust - Thanks!
anonymous_at_discussions.microsoft.com
Date: 10/07/04
- Next message: renan: "RE: windows 2000 blue screen after login"
- Previous message: Paul Adare - MVP - Microsoft Virtual PC: "Re: Transitive Trust"
- In reply to: Pete: "Re: Transitive Trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 7 Oct 2004 05:18:47 -0700
Thanks to you both for you responses.
I think I'll go for the separate forest option, to keep
things nice and secure.
Cheers.
Pete.
>-----Original Message-----
>Thanks for the response.
>
>The domain we are going to add will be managed by
external
>contractors, they will have admin rights on this domain.
>As I understand it with Transitive trusts they would
>automatically have admin rights on the parent domain, but
>if I am able to remove the trust from child to parent
>(preventing parent from trusting child) then this would
>solve the problem. Although I would (I think) have to
>remove trusts from the other child domain within the
>forest.
>
>If I did this would the trusts be automatically re-built
>by W2000? or by W2003 when we upgrade?
>
>Perhaps I'm better off creating a separate forest and
>register another domain name? It would be nice from an
>administration and name-space point of view if I could
set
>this up as a child domain. Any thoughts?
>
>Pete.
>>-----Original Message-----
>>Hi Pete,
>>
>>Microsoft changed its opinion on domain being security
>boundary due to some
>>possible exploits. Now the security boundary is the
>forest.
>>
>>While transitive trust can provide easy access between
>domains (e.g. domain
>>A and B) user B will still need permissions on resources
>in domain A to
>>access e.g. shares (and the other way around).
>>So if you have a share in domain A that will allow
domain
>users (this will
>>be A\Domain Users) full control, this will not allow
user
>in domain B to
>>access this share. To allow users in domain B to access
>this share,
>>administrator or other user with appropriate permissions
>will have to add
>>B\Domain Users to this share and grant them necessary
>permissions...
>>
>>If you allow default Windows 2000 permissions (everyone
>full control) that
>>will allow users from domain B to access resources in
>domain A...
>>
>>Mike
>>
>>"Pete" <anonymous@discussions.microsoft.com> wrote in
>message
>>news:1d2501c4ac4a$5f4ce9d0$a601280a@phx.gbl...
>>> Question:
>>> If I add a child domain is it ok to remove one of the
>>> trusts from the transitive trusts that are
automatically
>>> generated (so child domain trusts parent but not the
>other
>>> way around) or will this be re-instated by W2000.
>>>
>>> Reason:
>>> Looking to add a domain into our name space but don't
>want
>>> administrators of the new domain to have access to
other
>>> domains.
>>>
>>> Taken from Microsoft Documentation:
>>> Important
>>> Previously published Active Directory documentation
>states
>>> that a domain is a security boundary, but this
>>> documentation does not provide specific details about
>the
>>> level of autonomy and isolation that is possible among
>>> domains in a forest. Although a domain is, in fact, a
>>> security boundary with regard to the management of
>>> security policies for Active Directory, it does not
>>> provide complete isolation in the face of possible
>attacks
>>> by service administrators
>>>
>>
>>
>>.
>>
>.
>
- Next message: renan: "RE: windows 2000 blue screen after login"
- Previous message: Paul Adare - MVP - Microsoft Virtual PC: "Re: Transitive Trust"
- In reply to: Pete: "Re: Transitive Trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
