Limiting access to computers in a child domain by members of parent domain

[KimW]

It seems that the powers that be would prefer I give up being an individual Win2000 domain and change to either being a child domain or an OU of their primary domain. They keep pushing the idea that this will be good for my users because it will allow them quick and easy access to resources on the primary domain. That's all good and fine, but I need to be able to limit access to the systems in my domain. Basically, what I would like is for my users to be able to logon to our systems using their primary domain logons and having access to the resources on both the primary and child domains. At the same time, I want to be able to deny access to our systems to anyone else. If I become a child domain or OU, is there any way for me to ensure that this is the case?

Graphically...

Domain.com (userA, userB, userC)
|
child.domain.com
|
computer.child.domain.com (need to allow userA logon, deny userB logon, deny userC logon)

TIA.

 

[SR]

You could vlan your network and just allow the AD server ip address into your vlan or set shares\security so only defined people can access them on a win2k platform.

 

[KimW]

SR,

Could you explain a bit about these two suggestions? I'm not sure I understand what you mean.

Thanks!

 

[Saltin]

If you dont control who's in the Enterprise Admin group you won't be able to limit access. End of story.
A member of Enterprise admins will always have free run of the forest.
You could physically seperate the networks, but that defeats the entire purpose/function of a child domain.

 

[KimW]

Originally posted by: Saltin
If you dont control who's in the Enterprise Admin group you won't be able to limit access. End of story.
A member of Enterprise admins will always have free run of the forest.
You could physically seperate the networks, but that defeats the entire purpose/function of a child domain.

If you're just mentiong that the Enterprise admins can always access the systems or make changes, that's not a problem. They realize that these systems aren't supposed to be accessed by just anyone, so they wouldn't undo the restrictions. Also, I'm not trying to keep them from being about to do anything.

My concern is just with the average user. We have a *lot* of users who regularly migrate through locations. When doing so, they generally use the first computer they come to. I have some systems that run software that is only needed by a subset of these users. So, I don't want these users to find that they can't access the software they need because someone who doesn't need the software has the system tied up. So, in a perfect world I could do something like: create a group in the child domain, drop in the users from the parent domain that need access, and set a "logon permission" to allow that group access and deny access to all the other regular users. Maybe I can do this, but just don't know how. Maybe I can't do this, but can do something else that would give the same effect. I sure hope that one of these two is the case.

 

[Saltin]

The best way to accomplish your goal depends on wether your domains are running in Native or Mixed mode.

If they are running in Mixed mode, you can use a Domain Local group to hold users from other domains. Domain Local groups can have members from outside your own domain and can access resources in the local domain. The downside to Domain Local groups is that they cannot be nested, but this shouldnt be an issue for you really.

If your domains are in Native mode, you can use a Universal group (global membership, global access to resources).

 

[KimW]

Originally posted by: Saltin
The best way to accomplish your goal depends on wether your domains are running in Native or Mixed mode.

If they are running in Mixed mode, you can use a Domain Local group to hold users from other domains. Domain Local groups can have members from outside your own domain and can access resources in the local domain. The downside to Domain Local groups is that they cannot be nested, but this shouldnt be an issue for you really.

If your domains are in Native mode, you can use a Universal group (global membership, global access to resources).

Right now it's in Mixed mode, but that shouldn't be the case for much longer. I understand how to use Domain local groups to restrict access to resources like shares or printers, but I'm not sure how it helps me here. Is there some easy way to restrict/allow logon to a computer?

 

[Saltin]

Use group policy to allow/deny logon to whatever boxes by whatever groups.

 

[KimW]

Saltin,

Thanks for your input. We had thought about that route, but had problems getting it to work in our test lab. After seeing your post we went back and removed everything and rebuilt the policies. This seems to be working fine now, though I have no idea what we had done wrong before!