Thanks for your response Big Ron...further question for you... Firstly, yes we have a one way trust between the two forests, i.e. our new shiney forest trusts the existing forest via an NTLM job apparently as Kerberos needs two way transitive or some such.. Just to be sure that I understand what you are saying...If I am applying a GPO to an OU which holds the farm servers, both the computer and user policy settings will apply to the users coming in from the other forest? I was wondering what security context the forest users will pop up into the server farm as. The plan is that we would not have any users configured in our farm. Would they be 'domain users'? I think this was the case with NT4... or would they popup under the 'Everyone' group? thanks for your help once again... Brianos :o) -----Original Message----- From: Ron Oglesby [mailto:roglesby@xxxxxxxxxxxx] Sent: 16 September 2003 15:45 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: attention active directory design gurus..again Comments in line Ron Oglesby Senior Technical Architect RapidApp Office 312.372.7188 Mobile 815.325.7618 email roglesby@xxxxxxxxxxxx -----Original Message----- From: Brian Lilley [mailto:Brian.Lilley@xxxxxxxxxxxxx] Sent: Tuesday, September 16, 2003 8:57 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] attention active directory design gurus..again What I know about AD design could be written on the back of a stamp...so brace yourselves.. I am building a Citrix farm which will exist in its very own autonomous AD forest which will be bolted next to a customers existing forest....don't ask...its a long story.. The result is, that the users for this farm will come from a totally seperate AD forest. What would be the best AD design for this particular configuration...my thoughts are :- an overall OU called FARM1, within the FARM1 OU, are additional OU's 1 for domain controllers, 1 for Nfuse servers and 1 for the farm XPE servers [Ron] Leave the Domain Controllers in the DCs container My questions are these 1. when the users enter the farm from an external forest, what group would they come under? i.e. where would I apply the AD GPO in order to restrict them... I'm guessing that the GPO being applied to the XPe servers would restrict these users?? [Ron] This would one of two things, 1-either they have accounts in this new forest or 2- you have a cross forest trust or external trust between their domain and yours. In either case I would apply GPO loopback processing on my MetaFrame server OU and dictate the GPO settings they get when they login 2. what sort of GPO would I apply to the domain controllers? [Ron] Use the domain controllers container if it is already in its own forest. No need to move the DCs out of there. Users will not have access to these anyway 3. what sort of GPO would I apply to the nfuse servers? [Ron] Well you can do anything here. I woul not make the Nfuse servers part of the domain if they were going to be exposed to the internet. If not and they are purely internal then I would use a standard domain GPO to secure their login access, maybe do some directory and file permissions etc. All the stuff you would normally do manually on an IIS server. I think I'd better read the AD book again...boohoohoo Brian Lilley Systems Integration m +44 (0)7929 002501 t +44 (0)1249 665421 e brian.lilley@xxxxxxxxxxxxxx ********************************************************************** The information contained in this e-mail message is intended only for the individuals named above. If you are not the intended recipient, you should be aware that any dissemination, distribution, forwarding or other duplication of this communication is strictly prohibited. The views expressed in this e-mail are those of the individual author and not necessarily those of Vivista Limited. Prior to taking any action based upon this e-mail message you should seek appropriate confirmation of its authenticity. If you have received this e-mail in error, please immediately notify the sender by using the e-mail reply facility. ********************************************************************** _____________________________________________________________________ This message has been checked for all known viruses on behalf of Vivista by MessageLabs. http://www.messagelabs.com or Email: mailsweeper.info@xxxxxxxxxxxxx Vivista formerly Securicor Information Systems for further information http://www.vivista.co.uk ******************************************************** This Week's Sponsor: ThinPrint http://www.thinprint.com ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor: ThinPrint http://www.thinprint.com ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm _____________________________________________________________________ This message has been checked for all known viruses on behalf of Vivista by MessageLabs. http://www.messagelabs.com or Email: mailsweeper.info@xxxxxxxxxxxxx Vivista formerly Securicor Information Systems for further information http://www.vivista.co.uk ********************************************************************** The information contained in this e-mail message is intended only for the individuals named above. If you are not the intended recipient, you should be aware that any dissemination, distribution, forwarding or other duplication of this communication is strictly prohibited. The views expressed in this e-mail are those of the individual author and not necessarily those of Vivista Limited. Prior to taking any action based upon this e-mail message you should seek appropriate confirmation of its authenticity. If you have received this e-mail in error, please immediately notify the sender by using the e-mail reply facility. ********************************************************************** _____________________________________________________________________ This message has been checked for all known viruses on behalf of Vivista by MessageLabs. http://www.messagelabs.com or Email: mailsweeper.info@xxxxxxxxxxxxx Vivista formerly Securicor Information Systems for further information http://www.vivista.co.uk ******************************************************** This Week's Sponsor: ThinPrint http://www.thinprint.com ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm