0

Let's say that we have 3 domains (and 3 DC's) where contoso.local is the root domain, dep1.contoso.local is a child domain of contoso.local and dep2.contoso.local is another child domain of contoso.local

As it currently is

Apparently the trust relationship between those domains is transitive which accorting to or security auditing company is not secure enough and we need to remove the trust relationship between dep1.contoso.local and dep2.contoso.local.

I am aware that removing the trusts between child domains is not possible but might there be a slightest chance of a scenario where clients from dep1 can not logon from clients which joined the dep2 child domain and the DC's of each domain can still see each other?

As intended to be

Any hint is much appreciated.

stackoverflowuser
  • 3
  • 1
  • You need to permission the resources in department 2 accordingly. – Greg Askew Mar 01 '19 at 11:54
  • `Apparently the trust relationship between those domains is transitive which accorting to or security auditing company is not secure enough` - That's a vague and nebulous statement. Not secure enough for what? – joeqwerty Mar 01 '19 at 13:01
  • @joeqwerty To clarify this: Because a user from dep1.contoso.local could basically login from a client which joined dep2.contoso.local. This shouldn't be possible in out structure. – stackoverflowuser Mar 01 '19 at 13:32
  • Semicolon's answer is almost certainly the best approach, but if you were starting from scratch you *could*, in principle, have put the departmental domains in their own forests and established manual (and possibly one-way) trusts, which are not transitive. (We have a somewhat similar arrangement at my workplace, for historical reasons. It works, but it is inconvenient, and we're working towards eliminating it.) – Harry Johnston Mar 01 '19 at 22:31

1 Answers1

1

As you're asking for a hint, the following should put you in the right direction; you can tailor these to your specific needs.

Using a Group Policy, you can configure any combination of User Rights Assignments under Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment ->

  • Access this computer from the network
  • Allow log on locally
  • Allow log on through Remote Desktop Services
  • Deny log on locally
  • Deny log on through Remote Desktop Services

To achieve the desired result, so you could

  • Apply a GPO to all machines in DEP1 to apply the "Deny log on locally" user right to DEP2\Domain Users (and vice-versa), or
  • Apply a GPO to all machines in DEP1 to apply the "Allow log on locally" user right to only Administrators and DEP1\Domain Users (and vice-versa) -- though this would break logons by local accounts, or
  • Apply a GPO that removes Authenticated Users from the local Users group,
  • et cetera
Semicolon
  • 1,646
  • 7
  • 7
  • +1, but one quibble: using "Deny log on locally" as per your first bullet point might not be secure enough, because a hypothetical malicious administrator in DEP2 could create an account that isn't in Domain Users. Depends on what sort of risk scenario the auditors were worried about, I suppose. – Harry Johnston Mar 01 '19 at 22:36
  • Oh, and [this old answer of mine](https://serverfault.com/a/923751/94065) addresses the problem you raise in your second bullet point about local accounts. – Harry Johnston Mar 01 '19 at 22:44
  • Thanks for your answer. Hopefully our security auditor will accept it. However, for those who are searching for a link: http://www.rebeladmin.com/2014/06/control-logins-in-parent-child-domain-environment-using-group-policies/ (It's not mine) – stackoverflowuser Mar 04 '19 at 16:02