These questions were posed to me and I do not have definitive answers.

1. Can Vintella work on a domain controller where a childdomain trusts a superior domain that holds the identities?
 

2. You have that security tool for windows. Using thistool, or any other tool (to include plugin writing by us, if need be) in conjunction with basic domain authentication (andpresumably compatible with Vintella), can you imagine a way to:

2a) authorize someone to the domain ONLY if they are in awhite list that ONLY the child domain controls? (This white list could be an ordinary DL or any other structure).

2b) subsequent to 2a above (white list inclusion),process a black list pattern match (e.g., even if the white list includes them, if a pattern is matched, the user is notauthenticated to the child domain under any circumstances)?

  • frodo wrote:

    > 1. Can Vintella work on a domain controller where a childdomain trusts a superior domain that holds the identities?

    Vintela only has one L, but Yes.  The Vintela client system can be joined to any domain and authenticate users from any other domain that has a full transitive trust.  One-way and "no-way" trusts are also supported, but see the docs for details.

    > 2. You have that security tool for windows. Using thistool, or any other tool (to include plugin writing by us, if need be) in conjunction with basic domain authentication (andpresumably compatible with Vintella), can you imagine a way to:

    What tool?

    2a) authorize someone to the domain ONLY if they are in awhite list that ONLY the child domain controls? (This white list could be an ordinary DL or any other structure).

    You could use cross domain group memberships with users.allow or group policy for this.

    2b) subsequent to 2a above (white list inclusion),process a black list pattern match (e.g., even if the white list includes them, if a pattern is matched, the user is notauthenticated to the child domain under any circumstances)?

    You could use cross domain group memeberships with users.deny or group policy for this.

  • Thanks for your quick responses.