2 Domains and Group Policy

  • Thread starter Thread starter Daniel
  • Start date Start date
D

Daniel

At work we have a bit of a weird setup. Users can log onto 2 different
Domains depending on what access they require. If a user needs to access the
internet or email, they log onto Domain 1. If all they need to use is the in
house applications, they log onto Domain 2.

Both Domains are in separate Forests, and Trust relationships are in place.

I can administer Domain 2. Domain 1 is being managed by a Tier 1 support
company and I have no administrative access at all. Neither Domains have any
security policies in place at all. This is giving me nightmares let me tell
you.

There are no restrictions on the users. They can install anything and do
anything to the machines. I have already had one engineer "re-install"
windows cause the laptop was "playing up". He undid all my work patching and
updating only to bring MSBlaster back into the network.

Internet access for users logged into Domain 2 is easy.

But is there a way that users can log onto Domain 2 and still access email
AND change their passwords when prompted by Domain 1 so we can enforce some
security here?

Cheers.
 
Lots of issues here. Long term it may make sense to get
all of your users using a single account. But this is
probably going to require you to have some level of
administrative access to the managed domain (either to
manage the resources in that domain, or the users in that
domain, depending upon where your user accounts end up).

If that will never happen, or will take too long, don't
overlook local policy on the clients. You can always set
users up with reduced perms (user or power user) which
controls what they can and cannot do to the system, and
modify local policy on each machine to further lock them
down. Depending on how many machines you have and how
often you want to change things, this could be it's own
administrative nightmare. But might be better than
nothing.

You also shoudl take a look at where your computer
accounts are. If they are in the domain that you control,
you can do some lockdown via GP on the machine side. HTH

Chuck
 
Thanks Chuck.

Yeah I am trying to avoid applying local policies. So far I have 140
machines across two states. As you said, an administrative nightmare. :)

I have been looking at applying GP on the computers. All the computer
accounts are in our domain so at this stage it looks as if that is the way
to go atm.

In the long term I would love to have our own exchange server and have the
current one act as a relay so we don't lose our email addresses. But I am
not too sure how that will go with the account passwords of the users. Using
that and an ISA server to provide Internet and email means we can have all
of our users log on to our domain and we can finally get some control over
the environment.

Thanks for the reply.

Dan
 
Back
Top