Announcement

Collapse
No announcement yet.

Not allowing logins across Parent/multiple child domains

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Not allowing logins across Parent/multiple child domains

    Hello,

    I am not sure if this post should be here, but because it deals with Active Directory I thought I would give it a shot. I did a search of this site, as well as Google, and also a couple of books, but could not find anything like this posted (of course, my search skills could be lacking...), so if this is something that has been covered, could someone please point me in that direction.

    We have implemented a domain structure with one parent and multiple child domains across different IP ranges (parent: 10.0.200.x, child 10.0.39.x, another child 10.0.56.x, etc.). Parent domain is like: school.com, and child domains are like: child1.school.com, child2.school.com and so on.
    Our Active Directory is using multiple Organizational Units to organize users into their various locations - child1, child2, mainoffice, etc.
    This domain structure is working fine at present, except I don't want someone from child1.school.com to be able to travel to the child2 location and log on to child2.school.com. Currently, a Domain User can log into child1.school.com, or child2.school.com or any others from any location.
    We have no Group Policy Objects in place at this time.
    We have a mixture of Windows 2008 Server, Windows 2003 Server, and some left over Windows 2000 servers that will be upgraded soon.

    Can someone help me with how I would control something like this?

    Thank you, and sorry for the long post.

    Ron

  • #2
    Re: Not allowing logins across Parent/multiple child domains

    Here's a total stab in the dark as I don't generally work with parent\child domain scenarios:

    In each child domain configure the Default Domain Controllers Policy GPO to deny users from the other child domains the right to access this computer from the network. That should make their attempt to logon to the restricted domain unsuccessful.

    Comment


    • #3
      Re: Not allowing logins across Parent/multiple child domains

      Hi there Joeqwerty!

      Thanks for the quick reply.

      I was looking to do what you suggested, but in the Local Security Policy on the child1.school.com, but didn't see any entries that would enable/disable this. Which entry do you think I should try?


      Thinking this over, and before trying it (which I will), I don't think your suggestion will work for us because we will all will use our email addresses for our log ins. So, instead of [email protected] or [email protected] to log in, everyone will use [email protected] at all the different child sites, each user being placed into a corresponding OU in the parent DC. I am thinking configuring the Default Domain Controllers Policy GPO at a specific child DC will work to keep out those whose accounts are not located at the child DC (there won't be any accounts other than the built in ones at the child DC's). Am I wrong in this?

      Again, thanks!

      Ron

      Comment


      • #4
        Re: Not allowing logins across Parent/multiple child domains

        If I understand you correctly, I think you're on the right track. Give it a try and see what happens. If it doesn't wotk or creates unintended effects you can always back out of it.

        Comment


        • #5
          Re: Not allowing logins across Parent/multiple child domains

          I finally got around to doing this. It works just as I wanted!!!! Ayieeeeee!!!! Thanks for the help, I really appreciate it.
          Ron

          Comment


          • #6
            Re: Not allowing logins across Parent/multiple child domains

            Glad to hear it and thanks for posting back.

            Comment

            Working...
            X