Re: Single forest Sec boundary?? advise....!
From: S. Pidgorny
Date: 10/28/03
- Previous message: myemail_at_any.where.com: "Wall-paintings, Mural and Monumental Paintings, Frescos"
- In reply to: Paul: "Single forest Sec boundary?? advise....!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Oct 2003 21:24:06 +1100
Paul,
You haven't specified what groupware product you're using. With Microsoft
Exchange, you can have GAL and calendar information synchronised across
multiple forests (MMS and InterOrg replication utility come to mind).
However, maintaining single e-mail domain across forests might be a problem.
Ask in Exchange groups for details.
If you do not want to redesign your messaging system but only to enforce
strict separation of the domain administrators authority, it is possible
too:
* Enterprise admins universal group can be excluded from the domain admins
group in each domain - you will have to be local domain admin to modify
admin groups.
* You can add firewall separation to the picture, allowing only replication
traffic across between the domains. Domain partition of AD isn't replicated
between the domains, so it will not be available outside domain boundries.
* "Do nothing" is preferred option in your case - child domain admins do not
have authority over the forest root, other child domains, schema etc. I
haven't seen a requirement to protect child domain from the root domain
admins.
Everything is possible.
-- Svyatoslav Pidgorny, MVP, MCSE -= F1 is the key =- "Paul" <Paulkrb4@hotmail.com> wrote in message news:eMqvecHnDHA.2676@TK2MSFTNGP11.phx.gbl... > Hello, > > I have been advising people that should a company require separation in > terms of security that a Forest is the only true boundary. However, Im now > in a situation where a company who requires two of its business to be kept > separate from each other, while maintaining a single global address list and > calendar sharing... > > My question is this, In one forest is it possible to secure it in such way > that administrators in one child domain cannot interfere or put at risk > other child domains with in the forest? taking into consideration removal of > enterprise admins from the child domains and in the root domain service > level administrators are trusted across the entire company. > > Trusts between forests would not provide a solution in this due to the > security constraints with in the company, Total separation means total > separation. They have tasked me with pointing out what the exact security > risks are, and whether they are manageable through design with in a single > forest. > > Any pointers / help on where to look for information or advise would be most > gratefully received. > > Many thanks > > Paul, > > > >
- Previous message: myemail_at_any.where.com: "Wall-paintings, Mural and Monumental Paintings, Frescos"
- In reply to: Paul: "Single forest Sec boundary?? advise....!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
