Authenticate to one Domain, and get profile etc from another?

Discussion in 'Active Directory' started by Tim, Feb 16, 2005.

  1. Tim

    Tim Guest


    First off, I don't know much about AD. Just involved in planning a possible
    roll out of some sort of integrated directory at the university I work at,
    and at the moment, AD is looking likely.

    Is it possible to have AD use one domain just for authentication details,
    and then have the profiles, policy etc delivered by another domain?

    For example, we have a number of machines that are fully locked down as per
    an internet café, but our individual departments, have machines where users
    have proper profiles etc.

    What I'm thinking is something like:

    / \
    StudentAuth StaffAuth
    / \ \
    Cafe Labs StaffMachines

    Is it possible to have the student use the same username and password for
    both the café, and the labs, but have permissions/resources set dependent on
    the domain that the computer is on.

    We also have a significant number of Linux and Windows Client, so they would
    be authenticationg from the "StudentAuth" domain too (Via LDAP or AD

    I know that trust relationships will approve the pass-through auth, but can
    we set sub-domain specific profiles/policy?


    Tim, Feb 16, 2005
    1. Advertisements

  2. Tim

    Herb Martin Guest

    Depends on what you mean. But you would expect
    the domain that authenticates the USER to provide the
    user profiles, group policies, etc. AND the domain that
    authenticates the computer account to provide them for
    the computer.

    (It is technically possible for the roaming/mandatory profiles
    to originate on any server which allows that access.)
    There is a Group Policy feature (Loopback Processing)
    that allows the COMPUTER account to re-process (loopback)
    over the Group Polices using the computer account for
    locating the user policies AS IF the user account lived
    in the same domain and OUs.
    (Two modes: merge[i.e., additive/overiding] and replace.)

    Site GPOs are in some sense always done this way since
    the computer location picks them.

    Not exactly. Above you asked about Profiles and Policies,
    here you slipped in the PERMISSIONS.

    Permissions are always controlled at the RESOURCE (domain
    or computer) so in some sense it already works that way.

    Permissions are granted to Users based on the Groups to
    which they belong, but it is the RESOURCES (files, shares,
    AD objects, printers, registry keys etc.) which actually
    hold and GRANT those permissions.

    We all say it wrong most of the time, but 'Users do NOT really have
    permissions' -- the resources have the permissions which
    grant the user access.
    They will be authenticated whereever you put their account.

    They will obtain tickets (or other authentication) from the
    domain with the resources and be checked on the RESOURCE
    server for permissions to access each resource.
    Probably not, as I interpret your question.

    You might do better to define how you really want
    things to work, rather than the way you believe that
    can be achieved -- unless the answers above clarify
    it for you.

    If you are designing a solution you likely should take
    a course or engage in crash self-study to learn the basics.

    A good method can be to challenge the AD MCP
    exams, both the Administration and the Planning/Design
    together. These will force you to learn enough to make
    fairly good decisions and understand all of the options
    when seeking advice.
    Herb Martin, Feb 16, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.