What do you mean by have the teacher access the students computers? Do you mean access the students workstations as admins?
If that is what you, you could set up a couple of groups in the domain. Students and Teachers. All workstations get teachers in the administrators group and only student workstations get students in the admin group. Also teachers computers get students added to deny local logon and deny network access. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Friday, June 10, 2005 2:06 PM To: [email protected] Subject: Re: [ActiveDir] Sites to restrict traffic, Thanks guys, well actually its not a DMZ issue, I have few subnets:sudent subnet, faculty subnet, financial system subnet, and serivces subnet for example, I would like to have the teacher access the student's computers but not vice versa, or if not possible to have it work this way then block all traffic between both subnets, I do that on the physical layer by defining filters on the core switches and doing some configuration and tagging on the edge switches,I want to make my life easier if it can be done through the application layer. r.c. On 6/10/05, joe <[EMAIL PROTECTED]> wrote: > Yep. The times I have fielded questions for this functionality both in > the public space and in private consulting was all for people who > wanted to pump AD Info to some remote site or DMZ and did not want the > possibility of someone at the site or in the DMZ to compromise the > machine and pump the changes back into the main AD. > > Until we have the RO-DCs this isn't feasible, even then, I wouldn't > recommend putting an RO-DC in the DMZ. Configuration changes of your > main AD is only one issue with putting internal DCs in the DMZ. You > also have information disclosure issues as well as DOS issues. > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil > Sent: Friday, June 10, 2005 11:10 AM > To: '[email protected]' > Subject: RE: [ActiveDir] Sites to restrict traffic, > > OK, that makes sense, although as you say, this is still not possible. > > We don't (yet) have read-only DCs so this is just a non-starter :) > > I'd still like to hear the justification / explanation for such a behaviour. > > > > neil > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: 10 June 2005 15:32 > To: [email protected] > Subject: RE: [ActiveDir] Sites to restrict traffic, > > > I read that differently than you did Neil. > > I read it as how do I allow replication to go in one direction... Into > a site but not from the site back say like in a weird DMZ type > configuration or something. > > If that is what the question is. The answer is you don't... Successfully. > You may get it working but it will break when the DC can't update its > own info in the rest of the environment. > > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil > Sent: Friday, June 10, 2005 5:44 AM > To: '[email protected]' > Subject: RE: [ActiveDir] Sites to restrict traffic, > > If you have your site links and costs setup correctly to reflect your > underlying network topology and infra, then this should not be a > concern, since you have already informed AD where and how it should replicate data. > > If 2 sites are replicating and you do not want them to, then either > remove the link, or increase the cost, but naturally, you need to > ensure that an alternative path exists between these 2 sites. > > I'm intrigued to know why you think you need to enforce these restrictions. > If your underlying network allows data to flow from A to B then why > not allow AD to use that underlying transport system? > > neil > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube > Sent: 10 June 2005 09:59 > To: [email protected] > Subject: [ActiveDir] Sites to restrict traffic, > > > Hello, > > How can I use sites to prevent traffic from flowing from one site to > another? I have a domain controller for each site, and I want to stop > traffic flowing in certain direction (kind of like the trust > relationships in windows NT). > > thanks > r.c. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > ====================================================================== > ====== > == > Please access the attached hyperlink for an important electronic > communications disclaimer: > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtml > > ====================================================================== > ====== > == > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > ====================================================================== > ====== > == > Please access the attached hyperlink for an important electronic > communications disclaimer: > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtml > > ====================================================================== > ====== > == > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
