[ACCEPTED]-Is it a bad practice to put external users in Active Directory?-adfs

Accepted answer
Score: 12

Create a new AD forest for your external 7 users, you might need to set up some better 6 security, but the two can be conencted for 5 seamless authentication.

You'll need to tell 4 them to use a different domain when logging 3 on (eg your normal users use 'mycorp', externals 2 use 'externalcorp') but otherwise it's totally 1 transparent.

Score: 2

Yes, it is bad practice to put external 3 users in the same AD as your internal users. Keep 2 external accounts separate and check out 1 ADAM for external user authentication.

Score: 2

I think the question you need to ask is 19 not if storing external accounts in active 18 directory is bad, but if storing accounts 17 in the same forest as your internal accounts 16 is bad. It, can be done, but I would tend 15 to agree with Fallen that I wouldn't put 14 the external accounts in the same forest 13 with the internal ones.

In the past when 12 we used an AD store to place external account 11 we created a new forest and placed the external 10 users in there and then trusted the two 9 domain. In my opinion this is the better 8 option because the highest access users 7 have to the internal network is limited 6 by the trust and not a user's account. If 5 the domain is comprised you can always shut 4 it down and you'll know that nothing with 3 external can access the internal networks. This 2 also allows you to have different security 1 policies between external and internal users.

More Related questions