Permission control across multiple domains
This is a discussion about Permission control across multiple domains in the Windows Security category; Hi There, here is my situation, My company is running NT4 and has over 10 different domains, all of them has 2-way trust relationship established with the IT Support Domain. For easier administration, we have created a Global Admin Account in the IT Support Domain, so that we can appliy patches/updates to other DCs ...
Hi There, here is my situation,
My company is running NT4 and has over 10 different domains, all of them has 2-way trust relationship established with the IT Support Domain.
For easier administration, we have created a Global Admin Account in the IT Support Domain, so that we can appliy patches/updates to other DCs and their servers with one master login name & password.
However, what I realize is, with this setup, everyone from the IT Team (including the part-time and co-ops) will now be able to access all the shared resources on other domains...which is not a good idea.
Now, my questions is...
Besides going through all the domains, servers and removing "everyone"
from each shared directories/resources, Is there an alternative/quicker way of accomplishing this task?...I am talking about over 200 servers and over thousands of shared resources...
Is there a way to write a script that we can restrict user access?
Or,
Was our apporach a big mistake (such as creating 2-way trust and Global Admin account?)
Thanks and look forward to hear from you soon!
regards,
Mugen C
My company is running NT4 and has over 10 different domains, all of them has 2-way trust relationship established with the IT Support Domain.
For easier administration, we have created a Global Admin Account in the IT Support Domain, so that we can appliy patches/updates to other DCs and their servers with one master login name & password.
However, what I realize is, with this setup, everyone from the IT Team (including the part-time and co-ops) will now be able to access all the shared resources on other domains...which is not a good idea.
Now, my questions is...
Besides going through all the domains, servers and removing "everyone"
from each shared directories/resources, Is there an alternative/quicker way of accomplishing this task?...I am talking about over 200 servers and over thousands of shared resources...
Is there a way to write a script that we can restrict user access?
Or,
Was our apporach a big mistake (such as creating 2-way trust and Global Admin account?)
Thanks and look forward to hear from you soon!
regards,
Mugen C
Participate in our website and join the conversation
This subject has been archived. New comments and votes cannot be submitted.
May 7
May 24
0
3 minutes
Responses to this topic
Quote:Is there a way to write a script that we can restrict user access?
Check the resource kits from scriptable tools such as
http://www.ss64.com/nt/cacls.html
http://www.ss64.com/nt/xcalcs.html
In regards to your setup of multiple NT domains .... I personally would have recommended and encouraged a setup were there is an empty root domain where the rest of domains are children to the one empty ... with "enterprise" domain admins being heavily audited.
Why the two way trusts? Do children domains need to have access to the IT support domain? If so, were shortcut trusts not an option?
Quite honestly, I havent seen a scenario where Quote:one master login name & password wasused throughout an entire forest for management as the one you have described .... perhaps its just me ...
Check the resource kits from scriptable tools such as
http://www.ss64.com/nt/cacls.html
http://www.ss64.com/nt/xcalcs.html
In regards to your setup of multiple NT domains .... I personally would have recommended and encouraged a setup were there is an empty root domain where the rest of domains are children to the one empty ... with "enterprise" domain admins being heavily audited.
Why the two way trusts? Do children domains need to have access to the IT support domain? If so, were shortcut trusts not an option?
Quite honestly, I havent seen a scenario where Quote:one master login name & password wasused throughout an entire forest for management as the one you have described .... perhaps its just me ...
Remove the users that you dont want access from the domain admins group in the IT support domain, this will stop them from accessing the other servers directly. As for the shares if you set NTFS permission on your shares to allow only the groups you want, including domain admins, then they will be blocke form these shares as well, which will cure both problems in one swoop.
then audit and assign rights as needed.
then audit and assign rights as needed.
