This is what I would do personally... I would create a guest domain thats like guest.yourdomain.com.... Then I would alias 'usern...@yourdomain.com' to usern...@guest.yourdomain.com... This is if I am understanding your correctly
On Thu, Jan 29, 2009 at 5:31 AM, Kevin Tunison <ktuni...@gmail.com> wrote: > On Mon, Jan 26, 2009 at 8:02 PM, Stegman, Bill <bill.steg...@crump.com> wrote: >> Hi, I'm trying to dissuade management from allowing user accounts to be >> created on the same domain as our company users for what I feel are obvious >> reasons, but when pressed for specific issues I'm at a bit of a loss. I >> cited reasons such as; >> A clear demarc between customer accounts and our own accounts >> Not giving any unnecessary rights due to inheritance, but rather having to >> apply the appropriate permissions rather than remove permissions to attain >> the desired result >> >> They want to extend a service we offer to our internal employees to a >> partner. I suggested creating an extranet and using accounts from a >> separate domain rather than our own, but there is additional overhead >> imposed by such as design.duh.but I'm hoping to throw out an established >> standard or something to help my argument. >> > > The partner, if on a 2003 domain also, you can both upgrade your DCs > to 2003 R2 and utilize Federated Services. It exists for this > specific reason (allowing a semi-trusted domain/partner access to > selected resources). The whitepaper from MS is here: > http://www.microsoft.com/windowsserver2003/r2/identity_management/adfswhitepaper.mspx > > Specific reasons? > > Amount of time to run and verify a security audit in the event of a data > breach. > > Amount of time to set up individual VPNs for each of their users > (allowing a partner-connection without knowing who is on the other end > leaves no specific liability, they could easily hire hacker Joe and > not realize until the damage is done) on top of creating specific user > accounts. I often hear the argument, we'll just give them their own > logins.. which quickly becomes shared login details in reality because > it's remembering more than one login. > > Once ADFS is setup, it's no longer taking the time to create a new > domain account (which potentially costs CALs btw), but to grant > access. > > Warm Regards, > > Kevin Tunison MCSA, MCTS:SQL 2005 > http://www.getbusinessconfident.com >
