Re: issue with Child and Parent Domains
- From: "ptwilliams" <ptw2001@xxxxxxxxxxx>
- Date: Tue, 19 Apr 2005 21:11:50 +0100
> Thanks Again Paul!!!!, Do you have a document with this explicitly
> defined:
No problem and no, I don't. Although it's on MS' website somewhere...
> You do mean logon from a client to a CD where that client account only
> exists on PD and NOT logging onto the CD server itself? or BOTH?
I mean that unless you have an account in the CD, then you cannot actually
logon to that domain. You can, however, logon to the PD on a computer that
is a member of the CD --in this instance, the authentication is referred to
the other domain. The CD trusts the authentication mechanism in the PD, so
this users is then able to access resources in the CD.
> This is exactly what the department is trying to do but I am was telling
> them that it is not possible.
Correct then.
> Is there such a thing as pass through authentication where users can logon
> to CD, which are currently on the PD? If not, how can you make GPO and
> other functions work on members who are part of the CD.
There's no pass through in that respect. See above for more info. on a
similar scenario.
You can link GPOs that exist in the parent domain to container objects in
the child domain --no problem.
> If i join a computer to the CD and just logon to parent will that user
> still be part of CD. That is will GPO still be able to work?. If so, I
> assume I have to designate the DNS entry on client to that of the CD and
> not of the PD.
No the computer will be a member of the child and the user the PD. GPO will
work on the user account if the user is within scope of a GPO in his or her
domain; computer policy will apply to the computer when it boots --it will
pull from any GPO for which it is within scope -this will be the default
(child) policy, for example.
don't follow you. If you have your user accounts in the domain PARENT and
> you have a child domain CHILD, and you wish to logon to the PARENT domain
> using computers that are members of the CHILD domain this is fine -you
> just
> choose the PARENT domain from the domain: drop-down list at the Winlogon
> screen (Ctrl+Alt+Del
> At this point you are saying that i do not need any groups, but how can
> you assign folder permissions and other resources particular to the CD?
You assign permissions through groups yes. If you have resources in the
child, and user accounts in the parent, you should apply permissions to
(child) domain local groups, and then add parent domain global groups to the
child domain local groups. You then add the users into the global group.
You should do this for the child to.
This looks like so:
Resource/ Permissions -- Domain Local Group -- Global groups (from both
domains)
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- Follow-Ups:
- Re: issue with Child and Parent Domains
- From: Altria
- Re: issue with Child and Parent Domains
- References:
- issue with Child and Parent Domains
- From: Altria
- RE: issue with Child and Parent Domains
- From: ptwilliams
- Re: issue with Child and Parent Domains
- From: Altria
- Re: issue with Child and Parent Domains
- From: ptwilliams
- Re: issue with Child and Parent Domains
- From: Altria
- issue with Child and Parent Domains
- Prev by Date: RE: Change local admin password after upgrading to domain controller
- Next by Date: RE: Recovery agent for EFS, how can i get it done PLEASE HELP
- Previous by thread: Re: issue with Child and Parent Domains
- Next by thread: Re: issue with Child and Parent Domains
- Index(es):
Relevant Pages
|
Loading
