NooterCorp
asked on
How Do I Limit Domain Administrator Logins to a Single Domain Controller from Administrators from other Trusted Domains?
In a Windows 2003 trusted multi-domain environment, how do I go about limiting which domain administrators can login to specific domain controllers in different domains? For example, if I have "Domain Controller 1 on Domain 1", "Domain Controller 2 on Domain 2" and "Domain Controller 3 on Domain 3", how do I restrict logins such that Administrator 1 can only login to Domain Controller 1 on Domain 1? Currently, any administrator can login to any domain controller in any domain by using their login credentials and by selecting the appropriate domain that contains their account. For example, currently Administrator 3 from Domain 3 can login to Domain Controller 1 by entering their login credentials and selecting "Domain 3" as the domain upon logon. How do I limit this so that only Administrator 1 can login to Domain Controller 1 on Domain 1 and Administrator 2 can only login to Domain Controller 2 on Domain 2 and so on?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
LauraEHunterMVP
Modify the Default Domain Controllers Policy GPO in each domain so that only Domain<X>\Domain Admins has been granted the "log on locally" rights within each domain, and not Domain<Y>\Domain Admins and/or Domain<Z>\Domain Admins. Be sure to test this restriction to ensure that it does not create any application compatibility issues.