No announcement yet.

Child Domains / Accounts

  • Filter
  • Time
  • Show
Clear All
new posts

  • Child Domains / Accounts

    I am in an organization with 12 sites. Currently all of them have NT 4 Domains and we have gotten a server for each site that will have 2003.

    - We also have a 2003 domain with an exchange member server.
    - Gigabit WAN between sites.

    All of the users for the entire organization already have user accounts on the Root domain controller for email.
    There is no concern for any resources on the NT domains, so itís pretty much a fresh start in all of the branch offices.
    I am considering making all of the branch offices new child domains of the current 2003 domain we use for exchange. Since all of the users already have accounts, I know that I cannot create them again in the branch child domains, and Iím not sure how to go about moving them without effecting the exchange accounts.
    The users ideally will have roaming profiles within the child they are assigned to. I considered creating a domain local group in a child domain, and adding a global group from the root with the members that would be local to that child, but am not sure how the authentication / policies will work seeing how the accounts donít reside directly on the child domain.

    Any ideas, thoughts, and help is greatly appreciated.

  • #2
    Re: Child Domains / Accounts

    I am a little confused... Why do you need child domains ? You can use the AD you already have and join all the site's resources to the already existing AD domain.
    The only thing you will gain from creation of child domains is management overhead.

    If the security is your concern, you should realyze that the real security boundary is a forest and not a domain.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Re: Child Domains / Accounts

      First off, thanks a lot for your reply. I am new to AD and this project has been pushed onto my plate.

      So with this scenrio each site will be an additional DC in the existing domain.

      Here are some things i would like to accomplish.

      In the 12 sites, there are users who will actually be logging into client machines. I want these users to have roaming profiles, but i do not want them to be able to log in locally at any of the other sites.

      I have users in each site that just have accounts for Exchange/OWA purposes and do not want them to be able to log on to client machines at all.

      I'm assuming that this could be done via GP on OUs set up for the specific sites.

      Any more comments, suggestions or a little push in the right direction is greatly appreciated.



      • #4
        Re: Child Domains / Accounts

        Ok so I think I have partially answered my own question.

        In AD Sites & Services, i would set up a site for each location, enter the subnet for that location and assign that to the appropriate server.

        I can then set the profile path for the user to that server, but how do i limit them to only logging on within their site locally?

        Could i use the "Deny Logon Locally" policy to prevent the accounts used for just OWA access from logging into any client machines?

        Thanks again.


        • #5
          Re: Child Domains / Accounts

          Hi nolan.
          The way we did it in our AD was to define groups for the various users (in this case you could put all the user from a site into a respective group) and then used the GP setting "Allow log on locally" (in "Computer Configuration\Windows Settings\Securtiy Settings\Local Policies\User Rights Assignment") and specified the groups we wanted to log on. When you do this, only the groups you specify will be able to log on and no others so be sure to include the admins' group. You can make one for each site and then apply them to their respective sites.

          Network Consultant/Engineer
          Baltimore - Washington area and beyond


          • #6
            Re: Child Domains / Accounts

            Though it's rather rare to stumble upon such a setup, but you can create GPOs linked to sites and configure logon rights per site. Watch out though for the DCs and servers - you will want to filter those out in the GPO's ACL
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"