Re: Laptop users changing domains, mismatch DACLS
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Sat, 28 Oct 2006 04:27:42 -0500
"DD" <dontsendhere@xxxxxxxxxx> wrote in message
news:enLDScm%23GHA.3352@xxxxxxxxxxxxxxxxxxxxxxx
I have an architecture puzzle to figure out. We have laptop users that
change domains sometimes... i.e. they log on to a completely different
domain after traveling, but the SID of the domain group on domain B is
different than domain A.
Easiest is to tell them to stop doing that -- really, this is
generally neither necessary (for what they really want to
do) or a very good idea.
Windows does not deal well with the same 'person' becoming
two different users (either on machine and domain or on multiple
domains.)
Windows will however allow a user to LOGON to a machine
with one domain account and AUTHENTICATE to other domains
and computers for resource access.
Perhaps this ability to authenticate is all the users really
need (in many instances it is, especially for file access which
seems to be your biggest issue.)
In this case the app running on their system will not be able to access
files because the same SID is not in the DACL of the filesystem folders.
Correct. Unless you change the permissions to something
like (the very insecure) Everyone FC (or whatever.)
Is there an elegant way to solve this? Ideally I would expand the
forest/domain across geographic regions.
That is the only true solution -- for single signon etc.
There are new services being implemented (don't know
the name du jour but) this stuff allows for federation of
authentication across multiple untrusted -- or rather not
fully trusted -- domains and systems but I doubt it is ready
for prime time in your situation.
IF however you can tolerated making the trusts the answer
is trivial. Your original statement seemed to indicate these
were 'unrelated' (i.e., truly foreign domains) so that would be
a different case.
Backup a moment and ask why they EVER use s different
account to LOGON to their own machine?
Why do they find this necessary or helpful (be precise).
Knowing this we might be able to find a way to allow for
the access they need without (completely) changing identities,
at least without a new logon.
Custom apps (and especially those badly written) might be the
most difficult but we want know until we hear your precise
situation....
Otherwise is there some way to line up the SIDs? I have heard about tools
in Microsoft resource kits but I am hoping for something a bit more
automated (something the user can take care of, not just the admin).
Yes, these are generally for fixing the problem after it
has occurred and are labor and knowledge intensive.
(SubInAcl.exe being the closest fit to your request.)
Also, don't overlook the idea of having them terminal
server to another machine in the foreign domain and
do their work as a completely different person EXCEPT
for any file copying which they perform as the local user.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks ~ DD
.
- Follow-Ups:
- References:
- Prev by Date: Re: Laptop users changing domains, mismatch DACLS
- Next by Date: Re: Windows Server 2003 Enterprise PKI
- Previous by thread: Re: Laptop users changing domains, mismatch DACLS
- Next by thread: Re: Laptop users changing domains, mismatch DACLS
- Index(es):
Relevant Pages
|
