Home page logo

basics logo Security Basics mailing list archives

AD Child Domains
From: Raoul Armfield <armfield () amnh org>
Date: Wed, 23 Apr 2008 14:42:30 -0400

We are in the process of making a modification to our AD structure. For PCI compliance we need to segregate a portion of our users to a separate domain. This set of users do not need/want (and are very vocal about it) to follow the stricter password policy that PCI mandates.

I understand that when you create a child domain it by default creates a two-way transitive trust between the two domains. Is it possible to limit this trust relationship to a one-way trust relationship? If this is possible it seems to me that it may be preferable to creating a new forest just for a couple of hundred users.

Of course it is entirely possible that I am not thinking this through completely and am missing some important factors to consider. Your thoughts would be greatly appreciated.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]