Re: Question about a trust relationship and terminal serices

From: Bob Grabbe (bgrabbe_at_umich.edu)
Date: 03/22/05 

Date: Tue, 22 Mar 2005 11:44:54 -0500

Am I being too wordy ? Noone has any suggestions ? I really do need help on
this.

Bob Grabbe
bgrabbe@umich.edu

"Bob Grabbe" <bgrabbe@umich.edu> wrote in message
news:edqD8EZKFHA.732@TK2MSFTNGP12.phx.gbl...
>I have two domains, one on my internal network and one on a dmz. Call them
>dmz.org and int.org. Dmz.org trusts int.org, and users from int.org can log
>on to servers in dmz.org. As this is still in the testing phase, I have
>only two servers on the dmz.org, one a domain controller and one member
>server.
> The domain controller is Windows 2003, the member server is Windows 2000.
> Both domains are at Windows 2000 functional level.
> As a domain admin I am able to log on to both dmz servers with my int.org
> account. Locally and through a terminal services session makes no
> difference.
> I am testing the ability of normal int users to log on to the dmz, and
> created a testuser that is not an admin. On the dmz.org DC this user can
> log in both locally and through TS. On the member server testuser can log
> on locally buth when I try to log testuser on through TS I get a message
> "You do not have access to logon to this session".
> .What I have done so far to try to resolve this is create a "Servers" OU
> and apply the Default Domain Controllers GPO to this ou. I have set both
> the domain security policy and domain controller security policy to allow
> login through terminal services to Authenticated Users. With no success.
> In addition to this, the int.org Domain Admins are set as members of the
> dmz.org Administrators group, but I am unable to add them to the dmz.org
> Domain Admins group. Thus am unable to fully manage the dmz.org domain.
> My intent is to have as few as possible users or groups in the dmz.org,
> but to allow users in the int.org domain to have similar permissions in
> the dmz as they have internally.
> Can anyone tell me whether this should actually be able to work the way I
> want it to ?
> Thanks
>
> Bob Grabbe
> bgrabbe@umich.edu
>
>

Relevant Pages

  • Question about a trust relationship and terminal serices
    ... one on my internal network and one on a dmz. ... two servers on the dmz.org, one a domain controller and one member server. ... The domain controller is Windows 2003, the member server is Windows 2000. ... the int.org Domain Admins are set as members of the ...
    (microsoft.public.windows.server.active_directory)
  • RE: Question about DMZ Domain Member and Virus Membership
    ... test and audit the servers regularly. ... Question about DMZ Domain Member and Virus Membership ... Tailor your education to your own professional goals with degree ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: securing critical member servers
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... The point is that you can not remove domain admins from an OU. ... we have a windows 2003 active directory and have a couple of servers ... remove regular domain admins from the possibility of administering ...
    (microsoft.public.windows.server.active_directory)
  • RE: antivirus software for DMS computers???
    ... Say you're running an Web+FTP server in your DMZ... ... > All of my servers in the DMZ have AV protection. ... > Ethical Hacking at the InfoSec Institute. ... > pen testing experience in our state of the art hacking lab. ...
    (Security-Basics)
  • Re: internal domain credentials to access DMZ resources
    ... Create a new forest in DMZ, and let DMZ forest trust LAN forest 1 way. ... join web, NAS, and SQL servers to DMZ forest ...
    (microsoft.public.windows.server.active_directory)