mailing list archives
Re: AD Child Domains
From: pinowudi <pinowudi () gmail com>
Date: Thu, 24 Apr 2008 06:39:29 -0400
PCI compliance objectives apply to everyone in an organization, not
excluding a 'vocal minority' or anyone else. If they have a real
argument for not conforming to the standards, they can present a
business case that demands they not comply to complete some essential
business function. The executive officer in charge of security
(CTO/CIO/CFO) will have to make the call whether to bring them into
compliance or accept the risk of having them in non-compliance. So long
as your recommendations are clearly noted in the supporting
documentation and email threads and the exception is documented in
writing, it should not reflect poorly on you, but will show as an
acceptance of known risk by the executive tribe. Then you can justify
the cost of maintaining a separate AD structure for that function, or
demonstrate the ROI of bringing them into the fold.
Raoul Armfield wrote:
We are in the process of making a modification to our AD structure. For
PCI compliance we need to segregate a portion of our users to a separate
domain. This set of users do not need/want (and are very vocal about
it) to follow the stricter password policy that PCI mandates.
I understand that when you create a child domain it by default creates a
two-way transitive trust between the two domains. Is it possible to
limit this trust relationship to a one-way trust relationship? If this
is possible it seems to me that it may be preferable to creating a new
forest just for a couple of hundred users.
Of course it is entirely possible that I am not thinking this through
completely and am missing some important factors to consider. Your
thoughts would be greatly appreciated.