Jump to content
Compatible Support Forums
Sign in to follow this  
Mugen C

Permission control across multiple domains

Recommended Posts

Hi There, here is my situation,

 

My company is running NT4 and has over 10 different domains, all of them has 2-way trust relationship established with the IT Support Domain.

 

For easier administration, we have created a Global Admin Account in the IT Support Domain, so that we can appliy patches/updates to other DCs and their servers with one master login name & password.

 

However, what I realize is, with this setup, everyone from the IT Team (including the part-time and co-ops) will now be able to access all the shared resources on other domains...which is not a good idea.

 

Now, my questions is...

 

Besides going through all the domains, servers and removing "everyone"

from each shared directories/resources, Is there an alternative/quicker way of accomplishing this task?...I am talking about over 200 servers and over thousands of shared resources... frown

 

Is there a way to write a script that we can restrict user access?

 

Or,

 

Was our apporach a big mistake (such as creating 2-way trust and Global Admin account?)

 

Thanks and look forward to hear from you soon! smile

 

regards,

Mugen C

Share this post


Link to post
Quote:
Is there a way to write a script that we can restrict user access?


Check the resource kits from scriptable tools such as
http://www.ss64.com/nt/cacls.html
http://www.ss64.com/nt/xcalcs.html

In regards to your setup of multiple NT domains .... I personally would have recommended and encouraged a setup were there is an empty root domain where the rest of domains are children to the one empty ... with "enterprise" domain admins being heavily audited.

Why the two way trusts? Do children domains need to have access to the IT support domain? If so, were shortcut trusts not an option?

Quite honestly, I havent seen a scenario where
Quote:
one master login name & password
wasused throughout an entire forest for management as the one you have described .... perhaps its just me ...

Share this post


Link to post

Remove the users that you dont want access from the domain admins group in the IT support domain, this will stop them from accessing the other servers directly. As for the shares if you set NTFS permission on your shares to allow only the groups you want, including domain admins, then they will be blocke form these shares as well, which will cure both problems in one swoop.

 

 

then audit and assign rights as needed.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×