Security Basics mailing list archives

Re: AD Child Domains

From: John Bailey <rekkanoryo () rekkanoryo org>
Date: Thu, 24 Apr 2008 18:05:20 -0400

Rob McShinsky (Verizon) wrote:

If password policies were the only reason they want to move to a separate
domain, Windows Server 2008 will have the ability to set different password
policies for subsets of users. As far as trusts, I would stick with a
transitive trust between the two domains.  If there would be any data
sharing between the 2 domains i.e. file shares, applications that use AD for
authentication etc..., this could get sticky with just a one way trust in
one or the other direction. 

Rob McShinsky
http://www.virtuallyware.net


There is also Password Policy Enforcer (from http://anixis.com/products/ppe/),
which works with Windows 2003 and Windows 2000 domains and can set numerous
password policies.  The client software is needed for your workstations only if
you wish to take advantage of PPE's stronger password complexity and similarity
checking.  This eliminates the need for multiple domains to enforce multiple
password policies, and leaves access controls to the ACLs.

John

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

AD Child Domains Raoul Armfield (Apr 23)
- RE: AD Child Domains Sheldon Malm (Apr 24)
- RE: AD Child Domains Rhett Grant (Apr 24)
- Re: AD Child Domains pinowudi (Apr 24)
- RE: AD Child Domains Rob McShinsky (Verizon) (Apr 24)
  - Re: AD Child Domains John Bailey (Apr 24)