Re: AD Child Domains

PCI compliance objectives apply to everyone in an organization, not 
excluding a 'vocal minority' or anyone else.  If they have a real 
argument for not conforming to the standards, they can present a 
business case that demands they not comply to complete some essential 
business function.  The executive officer in charge of security 
(CTO/CIO/CFO) will have to make the call whether to bring them into 
compliance or accept the risk of having them in non-compliance.  So long 
as your recommendations are clearly noted in the supporting 
documentation and email threads and the exception is documented in 
writing, it should not reflect poorly on you, but will show as an 
acceptance of known risk by the executive tribe.  Then you can justify 
the cost of maintaining a separate AD structure for that function, or 
demonstrate the ROI of bringing them into the fold.

Raoul Armfield wrote:
> We are in the process of making a modification to our AD structure.  For 
> PCI compliance we need to segregate a portion of our users to a separate 
> domain.  This set of users do not need/want (and are very vocal about 
> it) to follow the stricter password policy that PCI mandates.
>
> I understand that when you create a child domain it by default creates a 
> two-way transitive trust between the two domains.  Is it possible to 
> limit this trust relationship to a one-way trust relationship?  If this 
> is possible it seems to me that it may be preferable to creating a new 
> forest just for a couple of hundred users.
>
> Of course it is entirely possible that I am not thinking this through 
> completely and am missing some important factors to consider.  Your 
> thoughts would be greatly appreciated.
>
> Raoul