How Do I Limit Domain Administrator Logins to a Single Domain Controller from Administrators from other Trusted Domains?

Posted on 2007-10-04
Medium Priority
Last Modified: 2010-08-05
In a Windows 2003 trusted multi-domain environment, how do I go about limiting which domain administrators can login to specific domain controllers in different domains? For example, if I have "Domain Controller 1 on Domain 1", "Domain Controller 2 on Domain 2" and "Domain Controller 3 on Domain 3", how do I restrict logins such that Administrator 1 can only login to Domain Controller 1 on Domain 1? Currently, any administrator can login to any domain controller in any domain by using their login credentials and by selecting the appropriate domain that contains their account. For example, currently Administrator 3 from Domain 3 can login to Domain Controller 1 by entering their login credentials and selecting "Domain 3" as the domain upon logon. How do I limit this so that only Administrator 1 can login to Domain Controller 1 on Domain 1 and Administrator 2 can only login to Domain Controller 2 on Domain 2 and so on?
Question by:NooterCorp

Accepted Solution

lausengdn earned 500 total points
ID: 20013960
Make sure the user account for administrator 1 is only in the "Domain Admin" group on Domain1 and not present in the "Domain Admin" group for Domain2 or Domain3.
Then Administrator2 is in the "Domain Admin" group of Domain2 and not in the other 2 domains etc.
Also make sure they are not in the "Enterprise Admins" group for the domains you don't want them to log into.
LVL 30

Expert Comment

ID: 20014459
Modify the Default Domain Controllers Policy GPO in each domain so that only Domain<X>\Domain Admins has been granted the "log on locally" rights within each domain, and not Domain<Y>\Domain Admins and/or Domain<Z>\Domain Admins.  Be sure to test this restriction to ensure that it does not create any application compatibility issues.

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question