Home page logo

basics logo Security Basics mailing list archives

Re: AD Child Domains
From: John Bailey <rekkanoryo () rekkanoryo org>
Date: Thu, 24 Apr 2008 18:05:20 -0400

Rob McShinsky (Verizon) wrote:
If password policies were the only reason they want to move to a separate
domain, Windows Server 2008 will have the ability to set different password
policies for subsets of users. As far as trusts, I would stick with a
transitive trust between the two domains.  If there would be any data
sharing between the 2 domains i.e. file shares, applications that use AD for
authentication etc..., this could get sticky with just a one way trust in
one or the other direction. 

Rob McShinsky

There is also Password Policy Enforcer (from http://anixis.com/products/ppe/),
which works with Windows 2003 and Windows 2000 domains and can set numerous
password policies.  The client software is needed for your workstations only if
you wish to take advantage of PPE's stronger password complexity and similarity
checking.  This eliminates the need for multiple domains to enforce multiple
password policies, and leaves access controls to the ACLs.


Attachment: signature.asc
Description: OpenPGP digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]