?
Solved

Two-way forest trust logons

Posted on 2007-03-23
7
Medium Priority
?
390 Views
Last Modified: 2012-08-14
I have two Windows2003 servers running ActiveDirectory, that for historical reasons, each have their own Forest. TeacherDomain (the forest root on one server) currently owns all of the network printers and is configured as a MediaServer. StudentDomain is a forest root on the other server. We want to have certain groups of students be able to access certain network printers and also use the media streaming capability of the TeacherDomain. Also, we want teachers to be able to access the NAS device that students currently use on the StudentDomain for their student portfolios. From the Microsoft documentation, it appears that setting up a two-way ForestTrust gives me the capabilities that I need. However, on the student laptops that are connected to the StudentDomain, the administration does not want the DomainList on the logon screen to include domains that are on the TeacherDomain. That is, they want to keep the separation that students logon to student machines and teachers logon to teacher machines. I don't know how the Domain List on the logon page is generated. If I create a two-way ForestTrust, will student machines now be able to logon to the TeacherDomain? I think they are concerned about a student selecting the TeacherDomain, typing in a teacher's logon name and trying to break the password and getting access to gradebooks.
0
Comment
Question by:oaklandteacher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18780178
If you create a trust relationship, both domains will show up in the drop-down box on login, yes.  (There -may- be a third-party tool that can alter this behaviour, but I'm not aware of one.)  The alternative would be to leave the forests untrusted and create a second account for students who need to access the teacher domain, but that doesn't buy you much for two reasons:

[1] Managing password synchronization between the domains without a trust relationship will be a royal pain.

[2] Not being able to see the forest name in a drop-down box isn't going to stop a malicious and determined student (read: "hacker") from attempting to do password-guessing against the teacher domain - to believe otherwise is (I think, at least) a tragic underestimation of the computer-savviness of the average American student.

If users in ForestB need access to resources in ForestA the most effective way to do that is going to be via a trust relationship; it is then up to the administrators of ForestA to establish sufficient security controls to prevent unintended disclosure of resources. There are any number of tools that you can use to assist in this - Group Policy, Server & Domain Isolation, two-factor authentication for teachers...it largely depends on how much time, money, training and effort you're willing to throw at the problem of security.
0
 

Author Comment

by:oaklandteacher
ID: 18780295
I know that a malicious student isn't going to be deterred, but there are a lot of kids who will play password guessing if the dropdown includes the TeacherDomain. Plus they know that if they deliberately type in the wrong password enough times, it will temporarily disable the teacher's account (unless I change the default Group Policy).
If I move all of the network printers from the teacher domain to the top of the student domain and then establish a one-way trust, will that enable groups of students and groups of teachers to access the printers and the NAS without the TeacherDomain showing up on student laptops? I will still have to figure out how to give student access to MediaStreaming.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18780447
I don't have any one-way trusts in front of me that I can verify this against right now, but I believe that even one-way trusts will still populate the drop-down box in that scenario.  (You can obviously configure the one-way trust as a test measure and log onto a teacher/student computer to confirm.)

This unfortunately sounds as though you are attempting to create a silicon-based solution for a carbon-based problem, which is almost always a quest doomed from the start.  Does your organization have an Acceptable Use Policy, and does that AUP include a section about attempts to steal/abuse other users' passwords?  If you don't have one, write one. If you do have one, it's time to start enforcing. If the laptop with an IP that's registered to student Mike Smith logs twenty failed logons in a row against a teacher account, Mike Smith gets a warning. If it happens again, Mike Smith's parents get a phone call or he gets detention or suspension or what-not.  (I'm crafting examples in my head without knowing whether your students are K-12,  University, whatever - obviously modify these suggestions in an age-level appropriate fashion.)

Basically there isn't a technical measure in the world that's going to prevent someone from being intentionally malicious - but you're in a unique position of power in that the malicious users are at least -somewhat- under your control, rather than being a random hacker from Romania or China who is acting completely outside of any bounds of responsibility.
0
 

Author Comment

by:oaklandteacher
ID: 18780714
We have hundreds of student laptops on mobile carts and we use DHCP, so tracking down the student who might have been using a particular laptop at a particular time is more effort than I have time for. I understand about AUP and all that. I just need a technical answer about forest trusts.

thanks.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1000 total points
ID: 18780783
Hmmmm.  The good news?  I think I found a way for you to hide the domain drop-down entirely.

The bad news?  It involves a registry hack on the client-side, which probably wouldn't be feasible for you from an implementation standpoint.  (Unless your student laptops are AD-joined, in which case you can obviously deploy it via GP.)

This solution will also necessitate a behaviour/training change for your students as it will disable the domain drop-down box -entirely-; students will be forced to log in at all times using their "jsmith@oakland.edu" UPN name.

A. To remove the domain drop-down list from the logon screen and force users to use their full user principal name (UPN), perform these steps:


Start the registry editor (regedit.exe).
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey.
From the Edit menu, select New, DWORD value.
Enter a name of NoDomainUI and press Enter.
Double-click the new value and set it to 1. Click OK.
Reboot the machine.

0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question