Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: Re: [ActiveDir] Preventing users from logging on locally over a trust
Prev Next
You are not authorized to post a reply.

AuthorMessages
TGUser is Offline

Posts:255

01/05/2009 10:53 AM  
You can change trust to be selective and deny logon to workstations.

Thank you, Tony.


Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 |
USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com



From:
"Paul M" <dimebag@synergieone.com>
To:
ActiveDir@mail.activedir.org
Date:
01/05/2009 08:45 AM
Subject:
[ActiveDir] Preventing users from logging on locally over a trust
Sent by:
ActiveDir-owner@mail.activedir.org



Hi

Scenario:

Domain A and Domain B trust each other in a two way transitive trust.
The DOA model in Domain A is such that groups are set up within Domain A
and delegated rights within GPO to prevent users from logging on locally
to servers, but not workstations.
Any user from Domain A can log into any workstation in Domain A, this
obviously then goes for any user within Domain B as well.

Is there any easy way people can think of, aside from changing the trust
to one way, from denying local logon rights to users over the trust.
Such that if a user from Domain A tried to log into a workstation on
Domain B they were denied the action even though the trust was in place.

I?ve not really had much time to think about this and I?m half asleep so
apologies if I?m missing the obvious. First day back at work and lack of
sleep.
Obviously a group could be made and further delegated via GPO to be a deny
logon locally group within policy but I?m at a bit of a loss as to how I?d
reference users that have authenticated from another Domain over a trust.

Also if you?re wondering why I?m asking this, the point, I haven?t much of
a clue either.
It?s as cut and dry as it sounds. I guess we trust them to look up things
in the AD but not use our workstations J

Thanks a lot in advance

Paul




The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.



You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > Re: [ActiveDir] Preventing users from logging on locally over a trust



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:mish
New TodayNew Today:2
New YesterdayNew Yesterday:5
User CountOverall:4858
People OnlinePeople Online:
VisitorsVisitors:61
MembersMembers:0
TotalTotal:61
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use