Re: Trusts need to see all DC's on each side?
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Mon, 19 Jan 2009 09:34:59 -0600
"JPolicelli [MVP-DS]" <JPolicelliMVPDS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:02A3205F-7A61-477D-A7C1-33BEEB0A3096@xxxxxxxxxxxxxxxx
One thing to keep in mind...when you create a trust, the users from the
trusted domain are added to the Authenticated Users group in the trusting
domain. As such, any permissions that are granted to the Authenticated
Users group in the trusting domain will incorporate the users from the
trusted domain. Also, by default members of the Authenticated Users group
have read access to virtually all objects in AD. While this is not usually
a concern, it is something to consider if you do not want information
disclosure type attacks.
Ah! Thank you. I didn't realize it added them automatically to that group
(although it makes sense).
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
.
- References:
- Trusts need to see all DC's on each side?
- From: just bob
- Re: Trusts need to see all DC's on each side?
- From: Phillip Windell
- Re: Trusts need to see all DC's on each side?
- From: JPolicelli [MVP-DS]
- Trusts need to see all DC's on each side?
- Prev by Date: Re: ADFS, ISA and SSL offloading
- Next by Date: Re: [WARNING] Failed to query SPN registration on DC
- Previous by thread: Re: Trusts need to see all DC's on each side?
- Next by thread: Re: Trusts need to see all DC's on each side?
- Index(es):
Relevant Pages
|
