Among many other reasons, having them in the same domain context as you means they are part of your "Domain Users" which gives them full read access to all of your AD and access to any "public" areas on file servers, etc. you may have.
It depends how much management care, but I wouldn't want an external company knowing exactly how our AD was planned out, how our sites were setup, what our DNS looked like, where our "crown jewels" were, how we assigned security permissions, etc. And that's assuming you're actually perfect and don't make any permissioning mistakes! In case you're not perfect .. access to confidential/DPA relevant data, etc. would be a definite issue - especially outside the USA. Could well land you with a regulatory fine if you haven't shown due diligence and allow protected data to leak out of your company. alan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Stegman, Bill Sent: 26 January 2009 20:03 To: [email protected] Subject: customer user accounts and internal user accounts on same domain Hi, I'm trying to dissuade management from allowing user accounts to be created on the same domain as our company users for what I feel are obvious reasons, but when pressed for specific issues I'm at a bit of a loss. I cited reasons such as; A clear demarc between customer accounts and our own accounts Not giving any unnecessary rights due to inheritance, but rather having to apply the appropriate permissions rather than remove permissions to attain the desired result They want to extend a service we offer to our internal employees to a partner. I suggested creating an extranet and using accounts from a separate domain rather than our own, but there is additional overhead imposed by such as design.duh.but I'm hoping to throw out an established standard or something to help my argument. Thank you, Bill Stegman MCSE 2003, CCNP, CCSP, CCIP, INFOSEC, MCTS:Vista Network Engineer Crump Life Insurance Services 4250 Crums Mill Rd Harrisburg, PA 17112 Phone: 717.657.0789 Ext. 4202 Fax: 717.703.4947 CONFIDENTIALITY NOTICE: This message is intended to be viewed only by the listed recipient(s). It may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. Any dissemination, distribution or copying of this message is strictly prohibited without our prior written permission. If you are not an intended recipient, or if you have received this communication in error, please notify us immediately by return e-mail and permanently remove the original message and any copies from your computer and all back-up systems.
smime.p7s
Description: S/MIME cryptographic signature
