Hi,
Pardon me for asking too many questions these few days. I've got a big headache in the office and got no one to turn to.

My next question involves 2 domains that I am taking charge of in the office.

I have two firms sharing one floor of the building. Both have their own domains (lets call them Domain A and Domain B) and their own NT 4.0 Servers, but are sharing the same network switches (meaning their network points go to the same set of switches in one server room).

In the Network Neighbourhood of both firms' PCs, I can see both Domain A and Domain B.

Staff working in Domain A logs on to Domain A without any access to any folders in Domain B, BUT (!!!) staff in Domain B can access folders in Domain A while logged on to Domain B! This is the thing that perplexes me.

No staff in Domain B were created in Domain A's "User Mgr for Domains", and vice versa.
I have checked the "Permissions" given for each folder in Domain A but none of Domain B's staff are listed there. (Note: although the folders allow access to "Everyone", I assume 'everyone' here means those accounts created in Domain A's user mgr.)

I am a novice at networks, and I know this problem needs help from the experienced.

Can someone please, please help me...

although the folders allow access to "Everyone", I assume 'everyone' here means those accounts created in Domain A's user mgr

'Everyone' means just that. Everyone regardless of domain will be able to access those folders.

What brand/model of switchs are being used? If they are good quality managed switches then it should be possible to set up VLANs (Virtual Local Area Network), which will give a modicum of seperation.

Do the domains need any kind of commucation between them or are they meant to be completely seperate?

I believe they are meant to be separate... however, the agreement from both sides is that staff from Domain B must be allowed access to one particular folder in Domain A. Just one folder, but now they can access all folders...

But I never knew that Everyone meant anyone regardless of which domain they're from...

Thanks a million pave_spectre!!

Needing to share a single directory means using VLANs are not completely out of the question if the switches are capable of such, but it would make it more effort than just configuring VLANs for complete seperation.

The start would obviously be to set permisions to allow access to only users who should have it to other directories, but in my opinion, (and it is just an opinion after all:p), thats the very least that should be done as a temporary measure, until a more complete solution can be incorporated.

The downside is that a more complete solution could require considerable effort/money, depending on what additional hardware resources you have (or can get), as well as any time or financial constraints that may restrict you.

But then again,

I am just wondering,
How can the two domains share folder access just by the fact that they are sharing the same network switches?
I mean, they are both administering their respective domains & users using their own separate NT Server machines.
My knowledge in networks is super limited, need your kind help to shed me some light.

Thanks way in advance... (hope you don't get frustrated with me)

I didnt think to ask but are they using the same IP range? Since they can share some access I assume they are.

I dont know how well I can explain, since its been a while since I got to use this knowledge or read up on it, so feel free to ask more questions.

Without VLANs, switches dont care what networks or domains specific computers are controlled by, or supposed to have access to, which means that all access is governed by the specific permissions set for any shared resource.

In some cases it will be domain specific. For example, if both domains have a user called smith, and on Domain A there is a folder with access only permitted to smith, then with central user management that user will actually be accessing as \\Domain A\smith and permission will be set accordingly, which means \\Domain B\smith should not be able to access it because the user credentials dont match. (in theory at least, since it doesnt always work :rolleyes: )

When something is set to allow access for everyone then there is no requirement to check access credentials making the resource open for everyone. Which can be useful if you need to kludge some temporary access between domains, but I somehow doubt it would be the recommended method.:p

Thanks way in advance... (hope you don't get frustrated with me)

Not likely, I love this stuff.:D

Just set up groups and assign permissions to those groups. Basic stuff. VLANSs are relly useful if the users change rooms. It's a logical separation versus a physical one.

Windows NT users and groups, create two groups, assign users to the groups and then assign permissions to the groups to view the resources.

Test it on a weekend.