Permission control across multiple domains

You are not logged in. [Log In] CompatDB.org » Forums » Windows NT4/2000/XP/2003/Vista/2008/Home Server/7 » Security » Permission control across multiple domains

Permission control across multiple domains

Hi There, here is my situation, My company is running NT4 and has over 10 different domains, all of them has 2-way trust relationship established with the IT Support Domain. For easier administration, we have created a Global Admin Account i...

Topic Options

#125625 - 05/07/03 08:27 PM Permission control across multiple domains
Mugen C journeyman Registered: 09/15/00 Posts: 59	Hi There, here is my situation, My company is running NT4 and has over 10 different domains, all of them has 2-way trust relationship established with the IT Support Domain. For easier administration, we have created a Global Admin Account in the IT Support Domain, so that we can appliy patches/updates to other DCs and their servers with one master login name & password. However, what I realize is, with this setup, everyone from the IT Team (including the part-time and co-ops) will now be able to access all the shared resources on other domains...which is not a good idea. Now, my questions is... Besides going through all the domains, servers and removing "everyone" from each shared directories/resources, Is there an alternative/quicker way of accomplishing this task?...I am talking about over 200 servers and over thousands of shared resources... Is there a way to write a script that we can restrict user access? Or, Was our apporach a big mistake (such as creating 2-way trust and Global Admin account?) Thanks and look forward to hear from you soon! regards, Mugen C
Top

#125643 - 05/08/03 03:41 AM Re: Permission control across multiple domains
DS3Circuit old hand Registered: 12/11/02 Posts: 739 Loc: Northeast PA	Quote: Is there a way to write a script that we can restrict user access? Check the resource kits from scriptable tools such as http://www.ss64.com/nt/cacls.html http://www.ss64.com/nt/xcalcs.html In regards to your setup of multiple NT domains .... I personally would have recommended and encouraged a setup were there is an empty root domain where the rest of domains are children to the one empty ... with "enterprise" domain admins being heavily audited. Why the two way trusts? Do children domains need to have access to the IT support domain? If so, were shortcut trusts not an option? Quite honestly, I havent seen a scenario where Quote: one master login name & password wasused throughout an entire forest for management as the one you have described .... perhaps its just me ...
Top

#126565 - 05/24/03 11:51 AM Re: Permission control across multiple domains
duhmez addict Registered: 04/27/02 Posts: 583 Loc: Canada, West siiiiiiiiiide!	Remove the users that you dont want access from the domain admins group in the IT support domain, this will stop them from accessing the other servers directly. As for the shares if you set NTFS permission on your shares to allow only the groups you want, including domain admins, then they will be blocke form these shares as well, which will cure both problems in one swoop. then audit and assign rights as needed.
Top

IP Scanning, Port Scanning, SNMP Discovery

Index

Securiy on the any Folder

Forums

Windows Support Forums
Everything New Technology
Legacy OS
Hardware
Software
Games
Networking
Customization & Tweaking
Security

Linux Support Forums
Everything Linux
Linux Hardware
Linux Software
Linux Games
Linux Networking
Linux Customization & Tweaking
Linux Security

Apple Support Forums
Everything Apple