Re: Active Directory Logon to attribute

The "logon to" feature must use IADSNameTranslate to convert the NetBIOS
names of the workstations to DN's, but this requires knowing the NetBIOS
name of the other domain and I don't know how that can be determined. The
workstations are identified by:

<NetBIOS name of domain>\<NetBIOS name of computer>

In any case, computers in different domains can have the same NetBIOS names,
so you must ensure uniqueness yourself.

Can you ping the full DNS name, such as workstationName.xyz.com?

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:91F56119-3A39-434D-8BF1-5A1BEBEBB171@xxxxxxxxxxxxxxxx
Dear Meinolf,

Ideally it should not happen but in our case it is working. in the user ID
for xyz.com we are specifying the logon to attribute and providing the
netbios name for the workstation in abc.com.

This restriction is working and user in xyz.com is not able to access
internet from any other workstation.

for this reason I wanted to understand how the "logon to" works. How the
user Id from xyz.com is able to resolve the netbios name of workstation in
abc.com when it is not pinging.

Thanks and Regards,

Sukhwinder Singh




"Meinolf Weber [MVP-DS]" wrote:

Hello Sukhwinder,

If accounts and machines are from abc.com they can logon to abc.com only.
To use xyz.com in the "logon to", you have to create a trust between them
and also if using a workstation in xyz.com.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hi Meinolf,

Thanks for the reply. As far as the domain structure is concerned we
have a domain named abc.com which is the authenticating domain for all
the users across organisation. All the user PC's are added to that
domain.

Now we have ISA Proxy server in DMZ zone and there is another domain
named xyz.org for the user authentication for internet. User Id's are
created in that domain and internet access is provided to the users
based on the id's in xyz.org domain.

User logs in to the PC using ID in abc.com domain and when he tries to
access the internet the username/Password box appears where he puts in
credentials for the xyz.org domain.

In this way the access is separated.

Hope this clearifies, please let me know if you need more
clarification

Thanks and Regards,

Sukhwinder Singh

"Meinolf Weber [MVP-DS]" wrote:

Hello Sukhwinder,

Please describe more detailed the domain setup and especially how do
your users connect over the "ISA domain", when there is no trust
created between both domains.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Dear All,

I need the information as to how the Active Directory "logon to"
property works for the users. What exactly happens at the background
because we are facing a problem in our infrastructure.

We have a central domain which is used by all the users for
authentication and one other domain is there used for ISA user
authentication. there is no single signon for the users as far as
proxy password is concerned. They have to put in password for the
second domain when try to access internet.

Now we have faced an issue in the domain for ISA authentication we
have configured the properties for the users to logon to single
workstation so that they cannot access internet from other PC. But
in the logon to workstation we have tried giving the netbios name
for the PC in first domain which is user authentication domain. As
per the security perpective it should not work as there is no trust
between domains but it is working.

We tried to ping the workstation but it is not working with netbios
name.

We are totally confused with the same and would request if someone
can help us on the same.

Thanks and Regards,

Sukhwinder Singh






.

Relevant Pages

  • Re: Active Directory Logon to attribute
    ... have permission to access as you are denied to logon from this workstation... ... If accounts and machines are from abc.com they can logon to abc.com only. ... named xyz.org for the user authentication for internet. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Authentication
    ... You can check the DC security event logs to see the logon type being ... Joe Kaplan-MS MVP Directory Services Programming ... restriction set to a specific workstation tries to do a bind to the DC ... Workstation list of the application user, the authentication happens fine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Logon to attribute
    ... We are not able to ping the workstation in the ... I have checked and found that netbios resolves the host name using broadcast ... for this reason I wanted to understand how the "logon to" works. ... named xyz.org for the user authentication for internet. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Authentication
    ... If you grant workstation login rights to your DCs but don't grant any other logon type than network, you should be fine. ... 2.The Credentials are passed onto the application server which inturn send the same to AD for approval/verification ... Suprising when i add the Domain Controller computer name to the Logon Workstation list of the application user, the authentication happens fine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Logon to attribute
    ... netbios name for the workstation in abc.com. ... for this reason I wanted to understand how the "logon to" works. ... named xyz.org for the user authentication for internet. ...
    (microsoft.public.windows.server.active_directory)