Two-way forest trust logons

I have two Windows2003 servers running ActiveDirectory, that for historical reasons, each have their own Forest. TeacherDomain (the forest root on one server) currently owns all of the network printers and is configured as a MediaServer. StudentDomain is a forest root on the other server. We want to have certain groups of students be able to access certain network printers and also use the media streaming capability of the TeacherDomain. Also, we want teachers to be able to access the NAS device that students currently use on the StudentDomain for their student portfolios. From the Microsoft documentation, it appears that setting up a two-way ForestTrust gives me the capabilities that I need. However, on the student laptops that are connected to the StudentDomain, the administration does not want the DomainList on the logon screen to include domains that are on the TeacherDomain. That is, they want to keep the separation that students logon to student machines and teachers logon to teacher machines. I don't know how the Domain List on the logon page is generated. If I create a two-way ForestTrust, will student machines now be able to logon to the TeacherDomain? I think they are concerned about a student selecting the TeacherDomain, typing in a teacher's logon name and trying to break the password and getting access to gradebooks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you create a trust relationship, both domains will show up in the drop-down box on login, yes.  (There -may- be a third-party tool that can alter this behaviour, but I'm not aware of one.)  The alternative would be to leave the forests untrusted and create a second account for students who need to access the teacher domain, but that doesn't buy you much for two reasons:

[1] Managing password synchronization between the domains without a trust relationship will be a royal pain.

[2] Not being able to see the forest name in a drop-down box isn't going to stop a malicious and determined student (read: "hacker") from attempting to do password-guessing against the teacher domain - to believe otherwise is (I think, at least) a tragic underestimation of the computer-savviness of the average American student.

If users in ForestB need access to resources in ForestA the most effective way to do that is going to be via a trust relationship; it is then up to the administrators of ForestA to establish sufficient security controls to prevent unintended disclosure of resources. There are any number of tools that you can use to assist in this - Group Policy, Server & Domain Isolation, two-factor authentication for largely depends on how much time, money, training and effort you're willing to throw at the problem of security.
oaklandteacherAuthor Commented:
I know that a malicious student isn't going to be deterred, but there are a lot of kids who will play password guessing if the dropdown includes the TeacherDomain. Plus they know that if they deliberately type in the wrong password enough times, it will temporarily disable the teacher's account (unless I change the default Group Policy).
If I move all of the network printers from the teacher domain to the top of the student domain and then establish a one-way trust, will that enable groups of students and groups of teachers to access the printers and the NAS without the TeacherDomain showing up on student laptops? I will still have to figure out how to give student access to MediaStreaming.
I don't have any one-way trusts in front of me that I can verify this against right now, but I believe that even one-way trusts will still populate the drop-down box in that scenario.  (You can obviously configure the one-way trust as a test measure and log onto a teacher/student computer to confirm.)

This unfortunately sounds as though you are attempting to create a silicon-based solution for a carbon-based problem, which is almost always a quest doomed from the start.  Does your organization have an Acceptable Use Policy, and does that AUP include a section about attempts to steal/abuse other users' passwords?  If you don't have one, write one. If you do have one, it's time to start enforcing. If the laptop with an IP that's registered to student Mike Smith logs twenty failed logons in a row against a teacher account, Mike Smith gets a warning. If it happens again, Mike Smith's parents get a phone call or he gets detention or suspension or what-not.  (I'm crafting examples in my head without knowing whether your students are K-12,  University, whatever - obviously modify these suggestions in an age-level appropriate fashion.)

Basically there isn't a technical measure in the world that's going to prevent someone from being intentionally malicious - but you're in a unique position of power in that the malicious users are at least -somewhat- under your control, rather than being a random hacker from Romania or China who is acting completely outside of any bounds of responsibility.
oaklandteacherAuthor Commented:
We have hundreds of student laptops on mobile carts and we use DHCP, so tracking down the student who might have been using a particular laptop at a particular time is more effort than I have time for. I understand about AUP and all that. I just need a technical answer about forest trusts.

Hmmmm.  The good news?  I think I found a way for you to hide the domain drop-down entirely.

The bad news?  It involves a registry hack on the client-side, which probably wouldn't be feasible for you from an implementation standpoint.  (Unless your student laptops are AD-joined, in which case you can obviously deploy it via GP.)

This solution will also necessitate a behaviour/training change for your students as it will disable the domain drop-down box -entirely-; students will be forced to log in at all times using their "" UPN name.

A. To remove the domain drop-down list from the logon screen and force users to use their full user principal name (UPN), perform these steps:

Start the registry editor (regedit.exe).
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey.
From the Edit menu, select New, DWORD value.
Enter a name of NoDomainUI and press Enter.
Double-click the new value and set it to 1. Click OK.
Reboot the machine.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.