Security Basics mailing list archives
Re: AD Child Domains
From: John Bailey <rekkanoryo () rekkanoryo org>
Date: Thu, 24 Apr 2008 18:05:20 -0400
Rob McShinsky (Verizon) wrote:
If password policies were the only reason they want to move to a separate domain, Windows Server 2008 will have the ability to set different password policies for subsets of users. As far as trusts, I would stick with a transitive trust between the two domains. If there would be any data sharing between the 2 domains i.e. file shares, applications that use AD for authentication etc..., this could get sticky with just a one way trust in one or the other direction. Rob McShinsky http://www.virtuallyware.net
There is also Password Policy Enforcer (from http://anixis.com/products/ppe/), which works with Windows 2003 and Windows 2000 domains and can set numerous password policies. The client software is needed for your workstations only if you wish to take advantage of PPE's stronger password complexity and similarity checking. This eliminates the need for multiple domains to enforce multiple password policies, and leaves access controls to the ACLs. John
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- AD Child Domains Raoul Armfield (Apr 23)
- RE: AD Child Domains Sheldon Malm (Apr 24)
- RE: AD Child Domains Rhett Grant (Apr 24)
- Re: AD Child Domains pinowudi (Apr 24)
- RE: AD Child Domains Rob McShinsky (Verizon) (Apr 24)
- Re: AD Child Domains John Bailey (Apr 24)