How Do I Limit Domain Administrator Logins to a Single Domain Controller from Administrators from other Trusted Domains?

Posted on 2007-10-04
Last Modified: 2010-08-05
In a Windows 2003 trusted multi-domain environment, how do I go about limiting which domain administrators can login to specific domain controllers in different domains? For example, if I have "Domain Controller 1 on Domain 1", "Domain Controller 2 on Domain 2" and "Domain Controller 3 on Domain 3", how do I restrict logins such that Administrator 1 can only login to Domain Controller 1 on Domain 1? Currently, any administrator can login to any domain controller in any domain by using their login credentials and by selecting the appropriate domain that contains their account. For example, currently Administrator 3 from Domain 3 can login to Domain Controller 1 by entering their login credentials and selecting "Domain 3" as the domain upon logon. How do I limit this so that only Administrator 1 can login to Domain Controller 1 on Domain 1 and Administrator 2 can only login to Domain Controller 2 on Domain 2 and so on?
Question by:NooterCorp
    LVL 3

    Accepted Solution

    Make sure the user account for administrator 1 is only in the "Domain Admin" group on Domain1 and not present in the "Domain Admin" group for Domain2 or Domain3.
    Then Administrator2 is in the "Domain Admin" group of Domain2 and not in the other 2 domains etc.
    Also make sure they are not in the "Enterprise Admins" group for the domains you don't want them to log into.
    LVL 30

    Expert Comment

    Modify the Default Domain Controllers Policy GPO in each domain so that only Domain<X>\Domain Admins has been granted the "log on locally" rights within each domain, and not Domain<Y>\Domain Admins and/or Domain<Z>\Domain Admins.  Be sure to test this restriction to ensure that it does not create any application compatibility issues.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, ( because one time I did this and I essentially had a bricked …
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now