Multiple Domains

[James]

I have a user who works at two different locations, and
has to log into 2 different domains to access her files
at each location.

I can join her to a domain, but only one. Is there a way
to easily switch between domains without logging in as
administrator and changing the domain?

Thanks in advance!

James
(e-mail address removed)

 

[Chuck]

I have a user who works at two different locations, and
has to log into 2 different domains to access her files
at each location.

I can join her to a domain, but only one. Is there a way
to easily switch between domains without logging in as
administrator and changing the domain?

Thanks in advance!

James
*email_address_deleted*

James,

As you've noted, a computer can be a member of (trust, and be trusted by) only
one domain at a time. A user, however, can have an account in multiple domains.
Or different domains can trust one another, so a user with an account in one
domain can access resources (locally, or remotely) in another domain.

Please clarify for me, is this:
1) A user with a laptop that she wants to connect to a network in a different
domain, and access resources there?
2) A user who wants to login to desktop computers located in a remote location,
and access resources there?

And, are the two domains connected by a WAN?

And James, please don't contribute to the spread and success of email address
mining viruses. Learn to munge your email address properly, to keep yourself a
bit safer when posting to open forums. Protect yourself and the rest of the
internet - never post your address unmunged.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Chuck]

Chuck,

THanks for the response!

Please clarify for me, is this:
1) A user with a laptop that she wants to connect to a network in a different
domain, and access resources there?
Yes...she has one laptop that she takes back and forth to 2 different locations, each with their own domains, resources etc. For example, when she logs in here she is user vhope on domain DFW01...at the other location, she is vhope on DFW02.
Both domains are on the same WAN, but apparently don't have trust relationships set up.
2) A user who wants to login to desktop computers located in a remote location,
and access resources there?
No

And, are the two domains connected by a WAN? YES

Thanks!

James,

Any corporation with any electronic infrastructure (IOW, any corporation) needs
to have its own security policy. And you will have to try and reconcile my
recommendations with your CSP, and with your domain structure, since I have no
idea what either contains. So here goes.

This is the quick solution, which supports one computer:

Since your network contains the home domain for VHope, you leave the laptop
joined to domain DFW01. Whenever she connects to your network, she can simply
login as "VHope" in a normal domain login.

You (are you domain admin for DFW01?) need to then setup her laptop to permit
local login to users in domain DFW02. When she needs to use her DFW02 account
(and she can do this from your network too), she can do a "local" login as
"DFW02\VHope". This will override the default authentication with her home
domain DFW01, and authenticate her with DFW02.

Of course, authenticating with DFW02 from your network, depending upon the size
of the pipe between DFW01 and DFW02, may be substantially longer than from
within the DFW02 network. But it will allow you to test the concept.

When she connects to the DFW02 network, she will still login "locally" as
"DFW02\VHope". She can then access her DFW02 domain profile and associated
data.

The advantage of this procedure is that she will be able to use her DFW01 and
DFW02 domain profiles (including persistent network connections) and associated
data, on the laptop, as appropriate, from either network.

This is the more formal solution, which supports multiple computers:

You, and a domain administrator for DFW02, need to establish a trust
relationship between the two domains. When that is done, any computer joined to
either domain, such as VHope's laptop, will by default, permit local login to
users in both domains (selected from the pull down domain list in the login
wizard).

VHope would then select which ever domain she wishes to authenticate with, at
her convenience. She could authenticate with either domain, when connected to
either network.

The advantage of this solution is that it is generally more scalable, should
additional employees need to migrate between the two locations. It may be more
preferred by your CSP also.

Which ever solution you decide to use, James, remember that it should conform to
your CSP.

Please let me know your thoughts in this matter so far, and tell me if I need to
include some more detail.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Guest]

Works like a charm, thanks

----- Chuck wrote: ----

On Mon, 7 Jun 2004 12:31:05 -0700, "James" <[email protected]
wrote

Chuck
1) A user with a laptop that she wants to connect to a network in a differen
domain, and access resources there?
Yes...she has one laptop that she takes back and forth to 2 different locations, each with their own domains, resources etc. For example, when she logs in here she is user vhope on domain DFW01...at the other location, she is vhope on DFW02
Both domains are on the same WAN, but apparently don't have trust relationships set up
2) A user who wants to login to desktop computers located in a remote location
and access resources there
N

James

Any corporation with any electronic infrastructure (IOW, any corporation) need
to have its own security policy. And you will have to try and reconcile m
recommendations with your CSP, and with your domain structure, since I have n
idea what either contains. So here goes

This is the quick solution, which supports one computer

Since your network contains the home domain for VHope, you leave the lapto
joined to domain DFW01. Whenever she connects to your network, she can simpl
login as "VHope" in a normal domain login

You (are you domain admin for DFW01?) need to then setup her laptop to permi
local login to users in domain DFW02. When she needs to use her DFW02 accoun
(and she can do this from your network too), she can do a "local" login a
"DFW02\VHope". This will override the default authentication with her hom
domain DFW01, and authenticate her with DFW02

Of course, authenticating with DFW02 from your network, depending upon the siz
of the pipe between DFW01 and DFW02, may be substantially longer than fro
within the DFW02 network. But it will allow you to test the concept

When she connects to the DFW02 network, she will still login "locally" a
"DFW02\VHope". She can then access her DFW02 domain profile and associate
data

The advantage of this procedure is that she will be able to use her DFW01 an
DFW02 domain profiles (including persistent network connections) and associate
data, on the laptop, as appropriate, from either network

This is the more formal solution, which supports multiple computers

You, and a domain administrator for DFW02, need to establish a trus
relationship between the two domains. When that is done, any computer joined t
either domain, such as VHope's laptop, will by default, permit local login t
users in both domains (selected from the pull down domain list in the logi
wizard)

VHope would then select which ever domain she wishes to authenticate with, a
her convenience. She could authenticate with either domain, when connected t
either network

The advantage of this solution is that it is generally more scalable, shoul
additional employees need to migrate between the two locations. It may be mor
preferred by your CSP also.

Which ever solution you decide to use, James, remember that it should conform t
your CSP

Please let me know your thoughts in this matter so far, and tell me if I need t
include some more detail

Cheers
Chuc
Paranoia comes from experience - and is not necessarily a bad thing

 

[Chuck]

Works like a charm, thanks!

Kewl. Thanks for the update!

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.