On 7/23/06, Grillenmeier, Guido <
[EMAIL PROTECTED]> wrote:
> because the objects that need to go in that domain really do need to get out of our current user environment.Matt, this doesn't yet sound to me like administrative isolation. Really depends on what you mean with "user environment".If these objects should not be administered by the same admins, then it's likely a case for isolation. If the objects should not be accessible for the normal users (incl. the servers or other resources that the objects represent), then it's a case for ACLing and configuring your AD and GPOs./Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Sunday, July 23, 2006 5:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Trusts.Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.
But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell.
You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go "I know it's automatically created when I create the object, but what can I do with the trust" any more :)
On 7/22/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a "semi-isolated" units within a single AD domain.Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests./Guido
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de
Sent: Saturday, July 22, 2006 12:45 AMSubject: RE: [ActiveDir] Domain Trusts.1-yep2-yepMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777* E-mail : <see sender address>
From: [EMAIL PROTECTED] on behalf of Matt Hargraves
Sent: Sat 2006-07-22 00:35
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Trusts.So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?
The only way to have a non 2-way trust is to make a separate forest?
