how to prevent login from users of another domain?

  • Thread starter Thread starter joe f. haydn
  • Start date Start date
J

joe f. haydn

Hi all. I have two domain, w2003, one is a child domain of another in a tree
structure. I just created this child domain for the purpose in ease of
managing the two domains without letting the users from one domain logging
into another domain's computers.

But, lo and behold, I now find that the users from one domain can access
another domain by default! What I've heard from somewhere was that, by
default, the user from another domain in the tree won't be able to login to
another, unless specifically assign permission.

Anyway, could someone tell me how I can control this aspect of domain
login -- how you can let certain users from other domains login or disallow
to login? Are there more than one way of doing it?

I've been looking for such information but unable to find. If you could also
give me some web pages that details on this issue, I appreciate it.

Thanks!
 
By default Windows 2000 builds transitive trusts between parent and child
domains. What you could look at doing would be to user Group Policy to deny
the log on locally right to the members of one domain on PC's in the other
domain.

Computer Configuration - Windows Settings - Security Settings - Local
Policies - User Rights Assignments - Deny Logon Locally. Browse and add the
Users group from the domain.

Be careful when doing this - Deny takes precedence, and since your admin
users are also members of the Users group they too will be denied access. So
make sure you understand exactly what you are doing before doing it.
 
Thanks!

So I suppose I need to create a "local group" (as opposed to global or
universal group) that other domain users belong to, then specifically deny
to the GPO of the computers in this domain. Is that correct?

Is this a routine or standard task for denying other domain members from
logging in? Is it that the standard usual scenarios are such that other
domain users can freely login to any other domains in a forest?

I've thought that my case (ie. only users from this domain can login to this
domain) is the usual scenario. Correct me if I'm wrong...
 
There are a number of ways you could do this. Following up on your question,
you would create a global group in the parent domain and make all users a
member. Then make that group a member of a local group in the child domain,
and use it as the security principal that determines who gets the group
policy restrictions applied. This may not be the best way. It might be
better to create a stand-alone domain where you could manage trusts
manually, but you'd have to burn it down and start over which I'm sure
you're trying to avoid. Now that your domains and trusts are in place, you
might consider the benefits and restrict access to specific resources with
permissions instead of completely trying to isolate the domains with group
policy. It might take a little longet to set up, but it would be more
flexible in the long run. Sometime in the future you might want to have some
cross-domain resource sharing.
 
Back
Top