Archived from groups: microsoft.public.win2000.security (
More info?)
Domain administrator in domain B can't by default administer domain A even
if there is transitive trust between domains. For administrator in domain B
to manage domain A, he would have to be in "A\Domain Administrator" group
while by default he will only be in "B\Domain Administrtor" group... Same
goes the other way...
Transitive trust means e.g. if A trust B and A trust C then B trust C and C
trust B. But still administrator in domain B is not administrator in domain
C unless administrator in domain C designates him as such (adds him
appropriate permissions in domain C)...
In e.g. Windows NT, when domain A trusted domain B and domain C and you
required also trust between B and C you had to create separate trustees --
which made large organization hard to manage due to large number of
trusts...
You don't have to buy new domain name for separate forest. You could
implement domain e.g. domain.local or domain.ad, etc...
Active Directory Services and Windows 2000 or Windows Server 2003 Domains
(Part 1)
http://support.microsoft.com/default.aspx?scid=kb;en-us;310996&Product=win2000
Mike
"Pete" <anonymous@discussions.microsoft.com> wrote in message
news:15df01c4ac57$3dd66710$a401280a@phx.gbl...
> Thanks for the response.
>
> The domain we are going to add will be managed by external
> contractors, they will have admin rights on this domain.
> As I understand it with Transitive trusts they would
> automatically have admin rights on the parent domain, but
> if I am able to remove the trust from child to parent
> (preventing parent from trusting child) then this would
> solve the problem. Although I would (I think) have to
> remove trusts from the other child domain within the
> forest.
>
> If I did this would the trusts be automatically re-built
> by W2000? or by W2003 when we upgrade?
>
> Perhaps I'm better off creating a separate forest and
> register another domain name? It would be nice from an
> administration and name-space point of view if I could set
> this up as a child domain. Any thoughts?
>
> Pete.
> >-----Original Message-----
> >Hi Pete,
> >
> >Microsoft changed its opinion on domain being security
> boundary due to some
> >possible exploits. Now the security boundary is the
> forest.
> >
> >While transitive trust can provide easy access between
> domains (e.g. domain
> >A and B) user B will still need permissions on resources
> in domain A to
> >access e.g. shares (and the other way around).
> >So if you have a share in domain A that will allow domain
> users (this will
> >be A\Domain Users) full control, this will not allow user
> in domain B to
> >access this share. To allow users in domain B to access
> this share,
> >administrator or other user with appropriate permissions
> will have to add
> >B\Domain Users to this share and grant them necessary
> permissions...
> >
> >If you allow default Windows 2000 permissions (everyone
> full control) that
> >will allow users from domain B to access resources in
> domain A...
> >
> >Mike
> >
> >"Pete" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:1d2501c4ac4a$5f4ce9d0$a601280a@phx.gbl...
> >> Question:
> >> If I add a child domain is it ok to remove one of the
> >> trusts from the transitive trusts that are automatically
> >> generated (so child domain trusts parent but not the
> other
> >> way around) or will this be re-instated by W2000.
> >>
> >> Reason:
> >> Looking to add a domain into our name space but don't
> want
> >> administrators of the new domain to have access to other
> >> domains.
> >>
> >> Taken from Microsoft Documentation:
> >> Important
> >> Previously published Active Directory documentation
> states
> >> that a domain is a security boundary, but this
> >> documentation does not provide specific details about
> the
> >> level of autonomy and isolation that is possible among
> >> domains in a forest. Although a domain is, in fact, a
> >> security boundary with regard to the management of
> >> security policies for Active Directory, it does not
> >> provide complete isolation in the face of possible
> attacks
> >> by service administrators
> >>
> >
> >
> >.
> >