Compatible Support Forums: Permission control across multiple domains

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Permission control across multiple domains

#1 User is offline   Mugen C 

  • journeyman
  • Group: Members
  • Posts: 59
  • Joined: 15-September 00

Posted 07 May 2003 - 08:27 PM

Hi There, here is my situation,

My company is running NT4 and has over 10 different domains, all of them has 2-way trust relationship established with the IT Support Domain.

For easier administration, we have created a Global Admin Account in the IT Support Domain, so that we can appliy patches/updates to other DCs and their servers with one master login name & password.

However, what I realize is, with this setup, everyone from the IT Team (including the part-time and co-ops) will now be able to access all the shared resources on other domains...which is not a good idea.

Now, my questions is...

Besides going through all the domains, servers and removing "everyone"
from each shared directories/resources, Is there an alternative/quicker way of accomplishing this task?...I am talking about over 200 servers and over thousands of shared resources... frown

Is there a way to write a script that we can restrict user access?

Or,

Was our apporach a big mistake (such as creating 2-way trust and Global Admin account?)

Thanks and look forward to hear from you soon! smile

regards,
Mugen C
0

#2 User is offline   DS3Circuit 

  • old hand
  • Group: Members
  • Posts: 739
  • Joined: 11-December 02

Posted 08 May 2003 - 03:41 AM

Quote:
Is there a way to write a script that we can restrict user access?


Check the resource kits from scriptable tools such as
http://www.ss64.com/nt/cacls.html
http://www.ss64.com/nt/xcalcs.html

In regards to your setup of multiple NT domains .... I personally would have recommended and encouraged a setup were there is an empty root domain where the rest of domains are children to the one empty ... with "enterprise" domain admins being heavily audited.

Why the two way trusts? Do children domains need to have access to the IT support domain? If so, were shortcut trusts not an option?

Quite honestly, I havent seen a scenario where
Quote:
one master login name & password
wasused throughout an entire forest for management as the one you have described .... perhaps its just me ...
0

#3 User is offline   duhmez 

  • addict
  • Group: Members
  • Posts: 583
  • Joined: 27-April 02

Posted 24 May 2003 - 11:51 AM

Remove the users that you dont want access from the domain admins group in the IT support domain, this will stop them from accessing the other servers directly. As for the shares if you set NTFS permission on your shares to allow only the groups you want, including domain admins, then they will be blocke form these shares as well, which will cure both problems in one swoop.


then audit and assign rights as needed.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users