Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] Preventing users from logging on locally over a trust
Prev Next
You are not authorized to post a reply.

AuthorMessages
DimebagUser is Offline

Posts:7

01/05/2009 9:52 AM  
Hi



Scenario:



Domain A and Domain B trust each other in a two way transitive trust.

The DOA model in Domain A is such that groups are set up within Domain A and
delegated rights within GPO to prevent users from logging on locally to
servers, but not workstations.

Any user from Domain A can log into any workstation in Domain A, this
obviously then goes for any user within Domain B as well.



Is there any easy way people can think of, aside from changing the trust to
one way, from denying local logon rights to users over the trust.

Such that if a user from Domain A tried to log into a workstation on Domain
B they were denied the action even though the trust was in place.



I've not really had much time to think about this and I'm half asleep so
apologies if I'm missing the obvious. First day back at work and lack of
sleep.

Obviously a group could be made and further delegated via GPO to be a deny
logon locally group within policy but I'm at a bit of a loss as to how I'd
reference users that have authenticated from another Domain over a trust.



Also if you're wondering why I'm asking this, the point, I haven't much of a
clue either.

It's as cut and dry as it sounds. I guess we trust them to look up things in
the AD but not use our workstations J



Thanks a lot in advance



Paul


skaufman-ittUser is Offline

Posts:29

01/05/2009 10:00 AM  
We do something every similar...

For each Domain, change the "Allow Log on Locally" setting (Computer
Configuration/Windows Settings/Security Settings/Local Policies/User
Rights Assignments) on the GPO at the OU where the computers are
located, to only allow Domain A users to logon to Domain A machines (or
vice-versa for Domain B) and remove the "Users" and optionally "Guest".

Do this on both Domains and wait for the GPO to populate and machines to
refresh/reboot.



This should get you what you're asking.



Scott



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Paul M
Sent: Monday, January 05, 2009 9:47 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Preventing users from logging on locally over a
trust



Hi



Scenario:



Domain A and Domain B trust each other in a two way transitive trust.

The DOA model in Domain A is such that groups are set up within Domain A
and delegated rights within GPO to prevent users from logging on locally
to servers, but not workstations.

Any user from Domain A can log into any workstation in Domain A, this
obviously then goes for any user within Domain B as well.



Is there any easy way people can think of, aside from changing the trust
to one way, from denying local logon rights to users over the trust.

Such that if a user from Domain A tried to log into a workstation on
Domain B they were denied the action even though the trust was in place.



I've not really had much time to think about this and I'm half asleep so
apologies if I'm missing the obvious. First day back at work and lack of
sleep.

Obviously a group could be made and further delegated via GPO to be a
deny logon locally group within policy but I'm at a bit of a loss as to
how I'd reference users that have authenticated from another Domain over
a trust.



Also if you're wondering why I'm asking this, the point, I haven't much
of a clue either.

It's as cut and dry as it sounds. I guess we trust them to look up
things in the AD but not use our workstations J



Thanks a lot in advance



Paul


You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Preventing users from logging on locally over a trust



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:mish
New TodayNew Today:2
New YesterdayNew Yesterday:5
User CountOverall:4858
People OnlinePeople Online:
VisitorsVisitors:57
MembersMembers:0
TotalTotal:57
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use