Question about a trust relationship and terminal serices

From: Bob Grabbe (bgrabbe_at_umich.edu)
Date: 03/15/05 

Date: Tue, 15 Mar 2005 14:00:18 -0500

I have two domains, one on my internal network and one on a dmz. Call them
dmz.org and int.org. Dmz.org trusts int.org, and users from int.org can log
on to servers in dmz.org. As this is still in the testing phase, I have only
two servers on the dmz.org, one a domain controller and one member server.
The domain controller is Windows 2003, the member server is Windows 2000.
Both domains are at Windows 2000 functional level.
As a domain admin I am able to log on to both dmz servers with my int.org
account. Locally and through a terminal services session makes no
difference.
I am testing the ability of normal int users to log on to the dmz, and
created a testuser that is not an admin. On the dmz.org DC this user can log
in both locally and through TS. On the member server testuser can log on
locally buth when I try to log testuser on through TS I get a message "You
do not have access to logon to this session".
.What I have done so far to try to resolve this is create a "Servers" OU and
apply the Default Domain Controllers GPO to this ou. I have set both the
domain security policy and domain controller security policy to allow login
through terminal services to Authenticated Users. With no success.
In addition to this, the int.org Domain Admins are set as members of the
dmz.org Administrators group, but I am unable to add them to the dmz.org
Domain Admins group. Thus am unable to fully manage the dmz.org domain.
My intent is to have as few as possible users or groups in the dmz.org, but
to allow users in the int.org domain to have similar permissions in the dmz
as they have internally.
Can anyone tell me whether this should actually be able to work the way I
want it to ?
Thanks

Bob Grabbe
bgrabbe@umich.edu

Relevant Pages

  • Re: Question about a trust relationship and terminal serices
    ... one on my internal network and one on a dmz. ... >on to servers in dmz.org. ... the int.org Domain Admins are set as members of the ... > Bob Grabbe ...
    (microsoft.public.windows.server.active_directory)
  • RE: Question about DMZ Domain Member and Virus Membership
    ... test and audit the servers regularly. ... Question about DMZ Domain Member and Virus Membership ... Tailor your education to your own professional goals with degree ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: securing critical member servers
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... The point is that you can not remove domain admins from an OU. ... we have a windows 2003 active directory and have a couple of servers ... remove regular domain admins from the possibility of administering ...
    (microsoft.public.windows.server.active_directory)
  • RE: antivirus software for DMS computers???
    ... Say you're running an Web+FTP server in your DMZ... ... > All of my servers in the DMZ have AV protection. ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ...
    (Security-Basics)
  • Re: internal domain credentials to access DMZ resources
    ... Create a new forest in DMZ, and let DMZ forest trust LAN forest 1 way. ... join web, NAS, and SQL servers to DMZ forest ...
    (microsoft.public.windows.server.active_directory)