Re: Nesting domain groups under local groups

Thanks for the good tips Herb. The users would not have admin rights to
their computers. They would have to ask the domain admin to remove them
from the old domain and add them to the new domain.

I didn't think about explicit permissions to access network resources, hmmm.
However all of the file sharing is handled through the application. The
application is hard coded to check for permissions in the custom local group
(or custom domain group). Then it allows users to share data that is used
by the application. The resources are things like geological data and the
work that other users have done to modify this data.

If we use explicit authentication I wonder how we would modify the app to
work with this rather than just checking for the custom group. Right now
the DCOM components and SQL server data objects connect to each other
directly after being authorized as part of the custom group.

Or if we can't modify the app do this explicit authentication, would there
be a technical obstacle or bad security practice to using the nested groups?


"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:e$EuNiaaHHA.2436@xxxxxxxxxxxxxxxxxxxxxxx

"fpbear" <dontsendhere@xxxxxxxxxx> wrote in message
news:uxwGY6ZaHHA.4808@xxxxxxxxxxxxxxxxxxxxxxx
I am wondering whether the following is good design practice. We have an
application that is locked down using domain GPOs, including setting
permissions on the user data files. Sometimes the users will travel and
attach these laptops to other domains (separate domains, not part of a
forest or trust).

They can only do this because they are admins of the computers -- were
this not so, they could not remove the computer from the home domain
and attach it to another domain.

With such privileges, local permissions are mostly advisory anyway --
since
admins can take ownership of files or do other things to bypass
restrictions.

Users should NOT be admins of their computers in most cases -- and not
cases where security is critical especially.

They log into these domains with another user account,
but they lose access to their data files because the SID for the account
on
the file ACL is different on this new domain.

Yes. Of course. Why do they need to "logon" to the other domains when
traveling rather than merely explicitly authenticate for resource access?

So we are thinking of
creating local custom goups for the application and then nesting the
application's custom domain groups under them. When the user joins a
different domain then the domain admin just adds the domain group under
the
local group. In this design, the local custom group is the group added
to
the file permission. The application also checks to see if the domain
user
is a member of the local group (via nested domain group) before access to
features.

The real problem is all this removing/adding computers to different
domains.

This should generally not be allowed.

(This is a government system and the domains all belong to the same
agency.
Although it takes tremendous paperwork effort to make changes to a
mission
critical system and get trusts established between the domain islands.
So
even though they serve the same user base, the domain controllers remain
isolated. We might get a nice forest with cross domain trust within a
few
years, but we will need to come up with a solution that works today for
traveling users.)

Explicit authentication when traveling should work.

What resources must the traveling users access?

Would nesting the groups in this manner cause any difficulties for
applications that have to check the role membership, or would it raise
any
questions on Active Directory best practices?

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)



.

Relevant Pages

  • Re: Low end desktop for EE tasks?
    ... Not only operating and configuring, but also programming in many cases. ... tinkering with their computers. ... The deal was that once you're an admin, ... Where I am now, everyone (well, all the engineers at least) has two ...
    (sci.electronics.design)
  • Re: XP & W2K server User rights need help
    ... before did not install the apps as admin. ... >behaved app. ... >> server non of the users had accounts only the computers ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Delegation Wizard
    ... >> computers OU Built-In or not!! ... > * Configure the delegation of control wizard as mentioned in the links ... > * create separate admin accounts to perform admin tasks ...
    (microsoft.public.win2000.active_directory)
  • Re: Delegation Wizard
    ... > computers OU Built-In or not!! ... * Configure the delegation of control wizard as mentioned in the links ... * create separate admin accounts to perform admin tasks ... * Create an OU for the Admin roles and the admin tasks ...
    (microsoft.public.win2000.active_directory)
  • Re: Removing Security
    ... Only invoke my custom workgroup using a shortcut in the ... Admin, and disabled the Default Admin, per the ... not prompt me or my colleagues for user names and ...
    (microsoft.public.access.security)
Loading