Re: Active Directory Logon to attribute

Hi Meinolf,
I have faced same thing but slightly different

Scenario: I have 2 forests ABC.COM and XYZ.COM. I have 2 users in ABC.COM
"user1" and "user2". I have 2 users and client m/cs on XYZ.COM. The users are
named as "john" and "jack" and clients as "client1" and "client2". Create a
share in ABC.COM give full permission to user1 and user2.

Problem:
1.I can add log on to restriction to cross-forest p/cs. Please note no cross
forest trust is in place. i.e in user1's property add netbios name client1.
I was in the notion that you can add machines only which are in domain. It
gladly accepts without notifying any error.
Repeat the same for user2 but add client2 instead of client1
2. From Client1 do \\<ip address of the server>\<sharename>. It will prompt
for username and password. Enter it for user1 it will open.
Go to client2 do \\<ip address of the server>\<sharename>. It will prompt
for username and password. Enter it for user1 it will say that it does not
have permission to access as you are denied to logon from this workstation...
How is this possible.......

3. Try changing the Pre windows login name for both abc\user1 and abc\user2
to abc\john and abc\jack. Try accessing the share. The a/c will get locked
out from workstation from where its denied. Strange and even more strange.
For UPN it will not have any impact.

I still havent found the answer .... I believe people will help me out in
this.




"Meinolf Weber [MVP-DS]" wrote:

Hello Sukhwinder,

If accounts and machines are from abc.com they can logon to abc.com only.
To use xyz.com in the "logon to", you have to create a trust between them
and also if using a workstation in xyz.com.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hi Meinolf,

Thanks for the reply. As far as the domain structure is concerned we
have a domain named abc.com which is the authenticating domain for all
the users across organisation. All the user PC's are added to that
domain.

Now we have ISA Proxy server in DMZ zone and there is another domain
named xyz.org for the user authentication for internet. User Id's are
created in that domain and internet access is provided to the users
based on the id's in xyz.org domain.

User logs in to the PC using ID in abc.com domain and when he tries to
access the internet the username/Password box appears where he puts in
credentials for the xyz.org domain.

In this way the access is separated.

Hope this clearifies, please let me know if you need more
clarification

Thanks and Regards,

Sukhwinder Singh

"Meinolf Weber [MVP-DS]" wrote:

Hello Sukhwinder,

Please describe more detailed the domain setup and especially how do
your users connect over the "ISA domain", when there is no trust
created between both domains.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Dear All,

I need the information as to how the Active Directory "logon to"
property works for the users. What exactly happens at the background
because we are facing a problem in our infrastructure.

We have a central domain which is used by all the users for
authentication and one other domain is there used for ISA user
authentication. there is no single signon for the users as far as
proxy password is concerned. They have to put in password for the
second domain when try to access internet.

Now we have faced an issue in the domain for ISA authentication we
have configured the properties for the users to logon to single
workstation so that they cannot access internet from other PC. But
in the logon to workstation we have tried giving the netbios name
for the PC in first domain which is user authentication domain. As
per the security perpective it should not work as there is no trust
between domains but it is working.

We tried to ping the workstation but it is not working with netbios
name.

We are totally confused with the same and would request if someone
can help us on the same.

Thanks and Regards,

Sukhwinder Singh




.

Relevant Pages

  • Re: AD Authentication
    ... You can check the DC security event logs to see the logon type being ... Joe Kaplan-MS MVP Directory Services Programming ... restriction set to a specific workstation tries to do a bind to the DC ... Workstation list of the application user, the authentication happens fine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Logon to attribute
    ... The "logon to" feature must use IADSNameTranslate to convert the NetBIOS ... netbios name for the workstation in abc.com. ... named xyz.org for the user authentication for internet. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Authentication
    ... If you grant workstation login rights to your DCs but don't grant any other logon type than network, you should be fine. ... 2.The Credentials are passed onto the application server which inturn send the same to AD for approval/verification ... Suprising when i add the Domain Controller computer name to the Logon Workstation list of the application user, the authentication happens fine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Logon to attribute
    ... To use xyz.com in the "logon to", you have to create a trust between them and also if using a workstation in xyz.com. ... named xyz.org for the user authentication for internet. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Logon to attribute
    ... netbios name for the workstation in abc.com. ... for this reason I wanted to understand how the "logon to" works. ... named xyz.org for the user authentication for internet. ...
    (microsoft.public.windows.server.active_directory)