Re: Login questions
From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 03/15/04
- Next message: Russ: "[FATAl] Kerberos does not have a ticket for host/<domain>"
- Previous message: George: "Re: Company aquired with windows 2000 AD How can I make them part of our 2003 AD"
- In reply to: Chriss3: "Re: Login questions"
- Next in thread: emma: "Re: Login questions"
- Reply: emma: "Re: Login questions"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 15 Mar 2004 12:08:42 -0600
Hi,
I guess I would want to clarify the terminology. Users login into domains.
They do not logon to OU's. OU's are handy to organize objects like user
objects. Also, policies can be applied to Domains, Sites, and OU's. You can
have a different policy applied to each OU, if desired. This could include
logon scripts, for example.
Access to resources is generally controlled by putting users into groups and
assigning permissions to the group. You do not assign permissions to OU's.
If you want all people in Company A to see Company A resources , but not
Company B resources, then make all Company A people members of a group
CompanyA. Assign group CompanyA access to the appropriate resources. Same
for a CompanyB group and their resources. If done properly, only members of
the group CompanyB can see Company B reources. Members of the group CompanyA
cannot (unless they are also members of group CompanyB).
Each domain requires at least 1 DC, so if you have but one server, you are
restricted to one domain. However, you should never create domains in order
to restrict permissions to resources (in my opinion). Groups, Group Policy,
and delegation of authority to OU's should meet your needs. One of the few
justifications for creating another domain is because one group of users
requires different security settings. Password policy, account lockout
policy, and Kerberos policy can only be applied at the domain level, so if
you require different password expiration policies, you may need another
domain.
-- Richard Microsoft MVP Scripting and ADSI HilltopLab web site - http://www.rlmueller.net -- "Chriss3" <noSpamHere@chrisse.se> wrote in message news:Ob5Xj2qCEHA.2592@TK2MSFTNGP12.phx.gbl... > Emma. What you asking for looks like a domain tree. How ever that requires 3 > servers(Domain Controllers). You can do an pretty good lockdown with Group > Policies linked to OUs to lockdown the desktop. But the Network Security are > Domain Wide. > > -- > Regards > Christoffer Andersson > > No email replies please - reply in the newsgroup > > "emma" <emma@comintel.com.my> skrev i meddelandet > news:05D44ECB-4E96-41F3-AD18-AAF2F03CA14F@microsoft.com... > > Dear all > > > > I have some question here on the login for domain in Active Directory in > Windows 2000 server. Is it possible that we set for each OU in 1 domain to > log in individually? Example let say I have a domain call a.com, so under > this domain I have several OU. First OU I call it as company A, second OU I > call it company B and third OU company C. So can I set company A employee to > login under the OU name company A only, and employee B to login under OU > name company B only? Employee A cannot see the resources on employee B and > vice versa? > > > > My reason to do that is this, the 3 company have very little employees, > from what I know 1 DC can only be set up physically with 1 server. But I don > 't want to purchase additional servers because the employee number is so > small. So I've been thinking if Active Directory can give individual login > based on OU only than it will meet my objectives. Hope that you understand. > Thank you for your attention. Hope to hear from you soon. > > > > Regards > > Emma > > > > > >
- Next message: Russ: "[FATAl] Kerberos does not have a ticket for host/<domain>"
- Previous message: George: "Re: Company aquired with windows 2000 AD How can I make them part of our 2003 AD"
- In reply to: Chriss3: "Re: Login questions"
- Next in thread: emma: "Re: Login questions"
- Reply: emma: "Re: Login questions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
