Re: Nesting domain groups under local groups
- From: "fpbear" <dontsendhere@xxxxxxxxxx>
- Date: Sun, 18 Mar 2007 16:43:09 -0700
Thanks Lanwench, I didn't think to use remote credentials. Although it is
tricky - the application checks the custom group membership, and based on
this, allows access to the SQL Server data objects and remote DCOM
components across the network. So the application doesn't just connect to a
file resource; it has been designed over the years to rely on these custom
groups for its internal security checking via various network communication
methods.
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uFF1v9aaHHA.4000@xxxxxxxxxxxxxxxxxxxxxxx
fpbear <dontsendhere@xxxxxxxxxx> wrote:
The users will need to be able to logon to another domain in order to
access the other domain's file sharing resources, to collaborate
across the network with other users in this application. Using
cached domain credentials would get the user on the machine, but
without access to the other domain's network resources (if I
understand correctly).
Ah, no, not at all. If you've logged in to your "usual" domain on a
laptop/computer, using cached credentials, you can then connect to
resources on the network you're physically connected to - whether it's
another domain, a home workgroup, or pretty much anything you can actually
see/reach across the network. All you have to do is supply the appropriate
remote credentials.
For example, one easy way in a comman line/batch file -
net use x: \\otherserver\share /user:OTHERDOMAIN\otherusername
/persistent:no
....they will be prompted for the OTHERDOMAIN\otherusername password and
can supply it - it'll persist throughout the login session. Any other
resources on the OTHERDOMAIN servers/network that they then want to
connect to, will use the otherusername credentials.
That's only one way - but it's often the easiest.
Further, the user's data files are protected with NTFS file DACLs
that allow only the user's group access. If the user disconnects
from the home domain and logs onto another domain without the group
nesting scheme described previously, the user would be locked out of
their own files.
They don't disconnect. They *always* log into their own domain with cached
credentials. Users shouldn't have rights to change their domain
membershipor network config anyway, really.
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
I'm still confused, I guess. Why can't they belong to domainX, and
*always* log into domainX no matter where they are - whether they can
reach a domainX DC or not?
.
- Follow-Ups:
- Re: Nesting domain groups under local groups
- From: Lanwench [MVP - Exchange]
- Re: Nesting domain groups under local groups
- References:
- Nesting domain groups under local groups
- From: fpbear
- Re: Nesting domain groups under local groups
- From: Lanwench [MVP - Exchange]
- Re: Nesting domain groups under local groups
- From: fpbear
- Re: Nesting domain groups under local groups
- From: Lanwench [MVP - Exchange]
- Re: Nesting domain groups under local groups
- From: fpbear
- Re: Nesting domain groups under local groups
- From: Lanwench [MVP - Exchange]
- Nesting domain groups under local groups
- Prev by Date: Re: Nesting domain groups under local groups
- Next by Date: Want Mcafee Internet Security Suite 2007 user only
- Previous by thread: Re: Nesting domain groups under local groups
- Next by thread: Re: Nesting domain groups under local groups
- Index(es):
Relevant Pages
|
