-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Answers inline... Chris - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Brian Lilley Sent: Tuesday, September 16, 2003 6:57 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] attention active directory design gurus..again What I know about AD design could be written on the back of a stamp...so brace yourselves.. I am building a Citrix farm which will exist in its very own autonomous AD forest which will be bolted next to a customers existing forest....don't ask...its a long story.. The result is, that the users for this farm will come from a totally seperate AD forest. What would be the best AD design for this particular configuration...my thoughts are :- an overall OU called FARM1, within the FARM1 OU, are additional OU's 1 for domain controllers, 1 for Nfuse servers and 1 for the farm XPE servers My questions are these 1. when the users enter the farm from an external forest, what group would they come under? i.e. where would I apply the AD GPO in order to restrict them... I'm guessing that the GPO being applied to the XPe servers would restrict these users?? A. It all depends. Do you have an External Trust established between the domains? If so, then you need to make sure that whatever Domain Global Group they belong to in DOMAINA, the Global Group in DOMAINA belongs to a Domain Global Group in DOMAINB that would filter the GPO and give access to logon to the Citrix servers. If not, then you would need to create separate user accounts and add them to the appropriate groups. 2. what sort of GPO would I apply to the domain controllers? A. Leave the DC's in their default OU. Then, modify the Default Domain Controllers GPO to what you want. 3. what sort of GPO would I apply to the nfuse servers? A. I would only create one that applies auditing. You could even control the NTFS/Registry security settings, but I would read up on a Windows 2000 Security book (either the one from MSPress or Global Knowledge). I think I'd better read the AD book again...boohoohoo (I would agree) Brian Lilley Systems Integration m +44 (0)7929 002501 t +44 (0)1249 665421 e brian.lilley@xxxxxxxxxxxxxx ********************************************************************** The information contained in this e-mail message is intended only for the individuals named above. If you are not the intended recipient, you should be aware that any dissemination, distribution, forwarding or other duplication of this communication is strictly prohibited. The views expressed in this e-mail are those of the individual author and not necessarily those of Vivista Limited. Prior to taking any action based upon this e-mail message you should seek appropriate confirmation of its authenticity. If you have received this e-mail in error, please immediately notify the sender by using the e-mail reply facility. ********************************************************************** _____________________________________________________________________ This message has been checked for all known viruses on behalf of Vivista by MessageLabs. http://www.messagelabs.com or Email: mailsweeper.info@xxxxxxxxxxxxx Vivista formerly Securicor Information Systems for further information http://www.vivista.co.uk ******************************************************** This Week's Sponsor: ThinPrint http://www.thinprint.com ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: Public PGP key for Chris Lynch iQA/AwUBP2ctQm9fg+xq5T3MEQLh0gCfax5cMC25B2udHDpRhJLSjygve1EAoPie LCBsF2Qjc7ugQ4BFMMyWc2u6 =LHPt -----END PGP SIGNATURE----- ******************************************************** This Week's Sponsor: ThinPrint http://www.thinprint.com ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm