0

Let's say that we have 3 domains (and 3 DC's) where contoso.local is the root domain, dep1.contoso.local is a child domain of contoso.local and dep2.contoso.local is another child domain of contoso.local

As it currently is

Apparently the trust relationship between those domains is transitive which accorting to or security auditing company is not secure enough and we need to remove the trust relationship between dep1.contoso.local and dep2.contoso.local.

I am aware that removing the trusts between child domains is not possible but might there be a slightest chance of a scenario where clients from dep1 can not logon from clients which joined the dep2 child domain and the DC's of each domain can still see each other?

As intended to be

Any hint is much appreciated.

stackoverflowuser
  • 3

1 Answers1

1

As you're asking for a hint, the following should put you in the right direction; you can tailor these to your specific needs.

Using a Group Policy, you can configure any combination of User Rights Assignments under Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment ->

  • Access this computer from the network
  • Allow log on locally
  • Allow log on through Remote Desktop Services
  • Deny log on locally
  • Deny log on through Remote Desktop Services

To achieve the desired result, so you could

  • Apply a GPO to all machines in DEP1 to apply the "Deny log on locally" user right to DEP2\Domain Users (and vice-versa), or
  • Apply a GPO to all machines in DEP1 to apply the "Allow log on locally" user right to only Administrators and DEP1\Domain Users (and vice-versa) -- though this would break logons by local accounts, or
  • Apply a GPO that removes Authenticated Users from the local Users group,
  • et cetera
Semicolon
  • 2,108