|
Posted by Roger Abell [MVP] on March 18, 2007, 9:06 am
Please log in for more thread options
That is probably how most people would do it, if they were
letting their machines change domains like that (which most
people would not want to allow).
>I am wondering whether the following is good design practice. We have an
> application that is locked down using domain GPOs, including setting
> permissions on the user data files. Sometimes the users will travel and
> attach these laptops to other domains (separate domains, not part of a
> forest or trust). They log into these domains with another user account,
> but they lose access to their data files because the SID for the account
> on
> the file ACL is different on this new domain. So we are thinking of
> creating local custom goups for the application and then nesting the
> application's custom domain groups under them. When the user joins a
> different domain then the domain admin just adds the domain group under
> the
> local group. In this design, the local custom group is the group added to
> the file permission. The application also checks to see if the domain
> user
> is a member of the local group (via nested domain group) before access to
> features. Would this work?
>
>
| 
XML Sitemap