Focus on Microsoft
customer user accounts and internal user accounts on same domain Jan 26 2009 08:02PM
Stegman, Bill (Bill Stegman crump com) (5 replies)
Re: customer user accounts and internal user accounts on same domain Jan 29 2009 12:31PM
Kevin Tunison (ktunison gmail com) (1 replies)
Re: customer user accounts and internal user accounts on same domain Feb 04 2009 03:17PM
pryorda pryor (pryordasspam gmail com)
R: customer user accounts and internal user accounts on same domain Jan 28 2009 07:12PM
Vega - Brunello Ivan (I Brunello vegaspa it)
Assuming you use AD, IMHO you could put internal users in an OU, and customers in another, at the same level whenever possible.
I saw this layout on almost all AD installation in the last few years, since let you segregate all customers accounts, maintain a single tree (or, at least just to branches of same tree) and get rid of inheritance.
Using this design (and a smart use of UPNSuffix LDAP attribute), you could even have your users authenticating as user (at) internal (dot) dom [email concealed] and external authenticating as user (at) external (dot) dom [email concealed] .

Moving internal OU should not be a big issue, as far as you use standard AD-aware applications (e.g. exchange), but this should be planned carefully.
Beware of custom LDAP accesses (we had a couple of scripts using special LDAP queries).

My two cents

Ivan Brunello
System & Network Management

-----Messaggio originale-----
Da: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] Per conto di Stegman, Bill
Inviato: lunedì 26 gennaio 2009 21.03
A: focus-ms (at) securityfocus (dot) com [email concealed]
Oggetto: customer user accounts and internal user accounts on same domain

Hi, I'm trying to dissuade management from allowing user accounts to be created on the same domain as our company users for what I feel are obvious reasons, but when pressed for specific issues I'm at a bit of a loss. I cited reasons such as;
A clear demarc between customer accounts and our own accounts
Not giving any unnecessary rights due to inheritance, but rather having to apply the appropriate permissions rather than remove permissions to attain the desired result

They want to extend a service we offer to our internal employees to a partner. I suggested creating an extranet and using accounts from a separate domain rather than our own, but there is additional overhead imposed by such as design.duh.but I'm hoping to throw out an established standard or something to help my argument.

Thank you,

Bill Stegman MCSE 2003, CCNP, CCSP, CCIP, INFOSEC, MCTS:Vista
Network Engineer
Crump Life Insurance Services
4250 Crums Mill Rd
Harrisburg, PA  17112
Phone:  717.657.0789  Ext. 4202
Fax:      717.703.4947

CONFIDENTIALITY NOTICE: This message is intended to be viewed only by the listed recipient(s).
It may contain information that is privileged, confidential and/or exempt from disclosure under
applicable law. Any dissemination, distribution or copying of this message is strictly prohibited
without our prior written permission. If you are not an intended recipient, or if you have
received this communication in error, please notify us immediately by return e-mail and
permanently remove the original message and any copies from your computer and all back-up systems.

[ reply ]
RE: customer user accounts and internal user accounts on same domain Jan 28 2009 10:56AM
James D. Stallard (james leafgrove com)
RE: customer user accounts and internal user accounts on same domain Jan 28 2009 09:45AM
Davies, Alan (GE Money) (AlanJ Davies ge com) (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus