| Author |
Message |
rui
Guest
|
 Posted:
Mon Feb 14, 2005 3:41 pm Post subject:
Domain Issue |
|
|
I have currently got a test setup with 3 2003 domains (A, B & C - all in
seperate forests).
Domain A is a resource domain, so it has a one way outgoing trust to both B
& C. There are
no other trusts configured.
Domain Admins in B & C setup their users with their appropriate permissions
on the file
server in Domain A.Everything works fine.
But this is the thing; when an admin in either Domain B or C uses an NT
client to configure
its users on the file share in domain A it can browse both domains B & C and
see all the
users accounts in both those domains. If they use a 2000/XP client they get
challenged.
I dont want the admins to be able to browse through another domain but there
own because it
is a security risk but I must allow NT clients on the domain.
What can I do with this netbios issue?
Thanks |
|
| Back to top |
|
 |
Roger Abell
Guest
|
| Posted:
Mon Feb 14, 2005 9:10 pm Post subject:
Re: Domain Issue |
|
|
What NetBIOS issue?
As I read your post
| Quote: | when an admin in either Domain B or C uses an NT
client to configure its users on the file share in
domain A it can browse both domains B & C and
see all the users accounts in both those domains
is expected behavior when |
1. A is account domain, so accounts used in B and C
are defined there
and
2. They have logged into a machine in domain A
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"rui" <rui@discussions.microsoft.com> wrote in message
news:16660E46-04BB-40E1-BD35-10E3C69B0862@microsoft.com...
| Quote: | I have currently got a test setup with 3 2003 domains (A, B & C - all in
seperate forests).
Domain A is a resource domain, so it has a one way outgoing trust to both
B
& C. There are
no other trusts configured.
Domain Admins in B & C setup their users with their appropriate
permissions
on the file
server in Domain A.Everything works fine.
But this is the thing; when an admin in either Domain B or C uses an NT
client to configure
its users on the file share in domain A it can browse both domains B & C
and
see all the
users accounts in both those domains. If they use a 2000/XP client they
get
challenged.
I dont want the admins to be able to browse through another domain but
there
own because it
is a security risk but I must allow NT clients on the domain.
What can I do with this netbios issue?
Thanks |
|
|
| Back to top |
|
|
burano
Guest
|
| Posted:
Tue Feb 15, 2005 1:01 am Post subject:
Re: Domain Issue |
|
|
Hi,
Sorry I wasnt being clear. Say for example I log onto the PDC in an nt 4.0
domain (call it dom A)and I want to set a users permisison on a file server
in Dom B (resource domain) I can also browse all other accounts in domain C.
There are no trusts between A and C.
Now if I do the same thing from a 2000 machine in Dom C I cannot browse the
other domain A. What happens is that a challenge appears asking for a
username and password.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZ7BzbqEFHA.1264@TK2MSFTNGP12.phx.gbl...
| Quote: | What NetBIOS issue?
As I read your post
when an admin in either Domain B or C uses an NT
client to configure its users on the file share in
domain A it can browse both domains B & C and
see all the users accounts in both those domains
is expected behavior when
1. A is account domain, so accounts used in B and C
are defined there
and
2. They have logged into a machine in domain A
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"rui" <rui@discussions.microsoft.com> wrote in message
news:16660E46-04BB-40E1-BD35-10E3C69B0862@microsoft.com...
I have currently got a test setup with 3 2003 domains (A, B & C - all in
seperate forests).
Domain A is a resource domain, so it has a one way outgoing trust to both
B
& C. There are
no other trusts configured.
Domain Admins in B & C setup their users with their appropriate
permissions
on the file
server in Domain A.Everything works fine.
But this is the thing; when an admin in either Domain B or C uses an NT
client to configure
its users on the file share in domain A it can browse both domains B & C
and
see all the
users accounts in both those domains. If they use a 2000/XP client they
get
challenged.
I dont want the admins to be able to browse through another domain but
there
own because it
is a security risk but I must allow NT clients on the domain.
What can I do with this netbios issue?
Thanks
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Tue Feb 15, 2005 6:48 am Post subject:
Re: Domain Issue |
|
|
OK, I think I am with you now.
With the a,b,c as just redefined
b is resource domain, version unspecified
a is nt 4 domain
c is other domain, version unspecified, existence in
same forest as b, if applicable, is unspecified
b trusts a
b trusting c or using forest implicit trusts unspecified
situation
1. log into PDC of a, use ACL editor to manage setting
of files shared from b, and accounts of c are visible
however
2. log into a W2k of c, use ACL editor to manage settings
of files shared from b, and accounts of a are not visible
without satisfying an authentication prompt
Thinking through these it seems to me that you are right, that
case 1 is in error
1. even if b and c are in the same forest, when logged into
a the credentials of the account in use should be recognized
only by b (which trusts a), and attempts to add/browse
groups outside of a or b should present prompt for account
login
2. behavior makes sense
I have not seen this, have functioned in similar environments,
and, have not heard of this before. Sorry. There is not by
chance an accidental authentications due to same name/password
account existing ??
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"burano" <ravburano@hotmail.com> wrote in message
news:eF7lYesEFHA.1836@tk2msftngp13.phx.gbl...
| Quote: | Hi,
Sorry I wasnt being clear. Say for example I log onto the PDC in an nt 4.0
domain (call it dom A)and I want to set a users permisison on a file
server
in Dom B (resource domain) I can also browse all other accounts in domain
C.
There are no trusts between A and C.
Now if I do the same thing from a 2000 machine in Dom C I cannot browse
the
other domain A. What happens is that a challenge appears asking for a
username and password.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZ7BzbqEFHA.1264@TK2MSFTNGP12.phx.gbl...
What NetBIOS issue?
As I read your post
when an admin in either Domain B or C uses an NT
client to configure its users on the file share in
domain A it can browse both domains B & C and
see all the users accounts in both those domains
is expected behavior when
1. A is account domain, so accounts used in B and C
are defined there
and
2. They have logged into a machine in domain A
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"rui" <rui@discussions.microsoft.com> wrote in message
news:16660E46-04BB-40E1-BD35-10E3C69B0862@microsoft.com...
I have currently got a test setup with 3 2003 domains (A, B & C - all
in
seperate forests).
Domain A is a resource domain, so it has a one way outgoing trust to
both
B
& C. There are
no other trusts configured.
Domain Admins in B & C setup their users with their appropriate
permissions
on the file
server in Domain A.Everything works fine.
But this is the thing; when an admin in either Domain B or C uses an NT
client to configure
its users on the file share in domain A it can browse both domains B &
C
and
see all the
users accounts in both those domains. If they use a 2000/XP client they
get
challenged.
I dont want the admins to be able to browse through another domain but
there
own because it
is a security risk but I must allow NT clients on the domain.
What can I do with this netbios issue?
Thanks
|
|
|
| Back to top |
|
|
rui
Guest
|
| Posted:
Tue Feb 15, 2005 3:09 pm Post subject:
Re: Domain Issue |
|
|
Thanks Roger, I must have some misconfiguration somehwere as this behaviour
in situation 1 should not occur.
"Roger Abell" wrote:
| Quote: | OK, I think I am with you now.
With the a,b,c as just redefined
b is resource domain, version unspecified
a is nt 4 domain
c is other domain, version unspecified, existence in
same forest as b, if applicable, is unspecified
b trusts a
b trusting c or using forest implicit trusts unspecified
situation
1. log into PDC of a, use ACL editor to manage setting
of files shared from b, and accounts of c are visible
however
2. log into a W2k of c, use ACL editor to manage settings
of files shared from b, and accounts of a are not visible
without satisfying an authentication prompt
Thinking through these it seems to me that you are right, that
case 1 is in error
1. even if b and c are in the same forest, when logged into
a the credentials of the account in use should be recognized
only by b (which trusts a), and attempts to add/browse
groups outside of a or b should present prompt for account
login
2. behavior makes sense
I have not seen this, have functioned in similar environments,
and, have not heard of this before. Sorry. There is not by
chance an accidental authentications due to same name/password
account existing ??
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"burano" <ravburano@hotmail.com> wrote in message
news:eF7lYesEFHA.1836@tk2msftngp13.phx.gbl...
Hi,
Sorry I wasnt being clear. Say for example I log onto the PDC in an nt 4.0
domain (call it dom A)and I want to set a users permisison on a file
server
in Dom B (resource domain) I can also browse all other accounts in domain
C.
There are no trusts between A and C.
Now if I do the same thing from a 2000 machine in Dom C I cannot browse
the
other domain A. What happens is that a challenge appears asking for a
username and password.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZ7BzbqEFHA.1264@TK2MSFTNGP12.phx.gbl...
What NetBIOS issue?
As I read your post
when an admin in either Domain B or C uses an NT
client to configure its users on the file share in
domain A it can browse both domains B & C and
see all the users accounts in both those domains
is expected behavior when
1. A is account domain, so accounts used in B and C
are defined there
and
2. They have logged into a machine in domain A
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"rui" <rui@discussions.microsoft.com> wrote in message
news:16660E46-04BB-40E1-BD35-10E3C69B0862@microsoft.com...
I have currently got a test setup with 3 2003 domains (A, B & C - all
in
seperate forests).
Domain A is a resource domain, so it has a one way outgoing trust to
both
B
& C. There are
no other trusts configured.
Domain Admins in B & C setup their users with their appropriate
permissions
on the file
server in Domain A.Everything works fine.
But this is the thing; when an admin in either Domain B or C uses an NT
client to configure
its users on the file share in domain A it can browse both domains B &
C
and
see all the
users accounts in both those domains. If they use a 2000/XP client they
get
challenged.
I dont want the admins to be able to browse through another domain but
there
own because it
is a security risk but I must allow NT clients on the domain.
What can I do with this netbios issue?
Thanks
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in