Sent: Thursday, April 01, 2004 12:36
AM
Subject: [ActiveDir] Cross forest
policies - boxes in Win2k domain, users in win2k3 s ingle domain forest
Hello all,
Having moved all of our users from an
NT4 account domain to a Windows 2003 domain, we have a requirement to set
policies on our citrix servers which sit in a separate windows 2000 forest, to
control policies for users from our trusted single domain windows 2003
forest. E.g. to run registry editing tools etc
This a bit long-winded but this is
what we are trying to do and are not sure how to proceed:
The "Default User" on the Citrix
servers is configured with some default settings, including the "disable
registry editing tools" policies.
When we were still using an NT4
account domain the Citrix servers were configured to get .POL files from the
hard drive instead of the DC's, this way we had NT4 policies that were only in
effect when logging into the Citrix servers, also there were group membership
controls in the .POL files so that admin accounts had the policies lifted.
The problems we need to solve are
1. Policy lockdown for users
coming from outside the win2k domain (where the Citrix servers live) when they
logon to the Citrix servers.
At present we are relying on the
settings inherited from "Default User", for the Win2k3 domain accounts. We
need a way to have policies that apply to the Win2k3 domain users, but only
when they logon to the Citrix servers (which are the only member computers in
the win2k domain), policy loop back has been suggested (apply the computer
policy to users regardless of the domain they logged on from), which looks
promising, assuming they can be controlled by user group memberships (in
win2k3 domain) to stop the admins getting the user policies.
2. Not to apply the policies for
Admin Win2k3 domain accounts when logging onto the Citrix boxes.
Cross forest GPO's only work
when both domains are W2K3, which I would expect is not going to happen any
time soon. And we need to relax the policies being picked by the
admins
Hope this make sense !?
Stephen Wilkinson
Tel +44(0)207
4759276
Mobile +44(0)7973
143970
E-Mail: [EMAIL PROTECTED]
--------------------------------------------------------------------------------
The
information contained herein is confidential and is intended solely for
the
addressee. Access by any other party is unauthorised without the
express
written permission of the sender. If you are not the intended
recipient, please
contact the sender either via the company switchboard on
+44 (0)20 7623 8000, or
via e-mail return. If you have received this e-mail
in error or wish to read our
e-mail disclaimer statement and monitoring
policy, please refer to
http://www.drkw.com/disc/email/ or contact the
sender.
--------------------------------------------------------------------------------