2003 Active Directory Question about External users.

[Person1]

We have a 2003 Active Directory domain. We are currently working on setting up an SFTP Server for our company in which the software will talk to an AD domain for user credentials. We want to use an AD domain for this because of some of the extra features it offers. I am trying to decide where I want to setup the SFTP users since they will be external users. By external I mean customer throughout the world.

Currently we have no external users in our AD environment and I am trying to figure out how to add them in the most secure manner. I don't want them to have access to anything other than the SFTP server. Here are the options as I see them:

1. Create a new OU in our domain. Create a new group called SFTP or whatever we want to name it. Then create the user accounts for the external users and add them to the SFTP group. For each user set the SFTP group to the primary and remove them from the Domain users group. One issue with this setup is that we misued the Everyone group in the past and we currently do not have the time to go back to everywhere it was used and fix it. So the external users in theory would have access to some shares because of the use of the Everyone group.

2. Setup a new Domain under our Forest.

3. Setup a child domain under our Domain.

4. Setup a completely different Forest and domain for this.

Any opinions would be greatly appreciated. Which option would you choose or is there another way of doing this that I am not thinking of?

Thanks!

Eric

[Zartach]

The best thing is using groups, as they are to be used to set permissions and rights. You can always add the users to a separate OU and link a specialy customized security GPO to it to secure it further, and have the users in a separate location in the AD overview.

You will need to look at the everyone group thing cause i will cause people to have access to those recources no matter where they are from.

Also if you are only looking to add users to a SFTP (what application are you using here IIS?) you may want to investigate the option to just add the users to the application and dont use AD for authentification at all. That way the users cant ever access the AD.

Hope it helps,

[Person1]

Thanks for the reply!

The everyone group issue definately needs to be addressed. It is just going to take more time than I have since I have to get this SFTP site up and running ASP.

We are using a third party product Globalscape EFT Server. We have to use AD because of the way there Gateway DMZ server interfaces with the back end server. There are also a few other options we are going to use that are easier done with AD.

Thanks,

Eric

[cluberti]

Why don't you use ADAM and set up a separate AD for the SFTP/external users? You could set up a one-way trust as well, if necessary. This would keep your internal and external userbase separated.

[Person1]

cluberti,

That is a very good option! I am going to look more into setting up ADAM to see if it is what I am looking for.

Thanks!

Eric

[tguy]

Cluberti is right, ADAM is the way to go, then you can put the ADAM server in your DMZ network and you'll just have to open port 636 (secure LDAP) through the firewall to have it talk to the other domain for authentication. A host of other defined ports are necessary to create the trust through a firewall.

There is a KB article on how to do it.

Good luck.