Two-way forest trust logons

Posted on 2007-03-23
Last Modified: 2012-08-14
I have two Windows2003 servers running ActiveDirectory, that for historical reasons, each have their own Forest. TeacherDomain (the forest root on one server) currently owns all of the network printers and is configured as a MediaServer. StudentDomain is a forest root on the other server. We want to have certain groups of students be able to access certain network printers and also use the media streaming capability of the TeacherDomain. Also, we want teachers to be able to access the NAS device that students currently use on the StudentDomain for their student portfolios. From the Microsoft documentation, it appears that setting up a two-way ForestTrust gives me the capabilities that I need. However, on the student laptops that are connected to the StudentDomain, the administration does not want the DomainList on the logon screen to include domains that are on the TeacherDomain. That is, they want to keep the separation that students logon to student machines and teachers logon to teacher machines. I don't know how the Domain List on the logon page is generated. If I create a two-way ForestTrust, will student machines now be able to logon to the TeacherDomain? I think they are concerned about a student selecting the TeacherDomain, typing in a teacher's logon name and trying to break the password and getting access to gradebooks.
Question by:oaklandteacher
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 30

Expert Comment

ID: 18780178
If you create a trust relationship, both domains will show up in the drop-down box on login, yes.  (There -may- be a third-party tool that can alter this behaviour, but I'm not aware of one.)  The alternative would be to leave the forests untrusted and create a second account for students who need to access the teacher domain, but that doesn't buy you much for two reasons:

[1] Managing password synchronization between the domains without a trust relationship will be a royal pain.

[2] Not being able to see the forest name in a drop-down box isn't going to stop a malicious and determined student (read: "hacker") from attempting to do password-guessing against the teacher domain - to believe otherwise is (I think, at least) a tragic underestimation of the computer-savviness of the average American student.

If users in ForestB need access to resources in ForestA the most effective way to do that is going to be via a trust relationship; it is then up to the administrators of ForestA to establish sufficient security controls to prevent unintended disclosure of resources. There are any number of tools that you can use to assist in this - Group Policy, Server & Domain Isolation, two-factor authentication for largely depends on how much time, money, training and effort you're willing to throw at the problem of security.

Author Comment

ID: 18780295
I know that a malicious student isn't going to be deterred, but there are a lot of kids who will play password guessing if the dropdown includes the TeacherDomain. Plus they know that if they deliberately type in the wrong password enough times, it will temporarily disable the teacher's account (unless I change the default Group Policy).
If I move all of the network printers from the teacher domain to the top of the student domain and then establish a one-way trust, will that enable groups of students and groups of teachers to access the printers and the NAS without the TeacherDomain showing up on student laptops? I will still have to figure out how to give student access to MediaStreaming.
LVL 30

Expert Comment

ID: 18780447
I don't have any one-way trusts in front of me that I can verify this against right now, but I believe that even one-way trusts will still populate the drop-down box in that scenario.  (You can obviously configure the one-way trust as a test measure and log onto a teacher/student computer to confirm.)

This unfortunately sounds as though you are attempting to create a silicon-based solution for a carbon-based problem, which is almost always a quest doomed from the start.  Does your organization have an Acceptable Use Policy, and does that AUP include a section about attempts to steal/abuse other users' passwords?  If you don't have one, write one. If you do have one, it's time to start enforcing. If the laptop with an IP that's registered to student Mike Smith logs twenty failed logons in a row against a teacher account, Mike Smith gets a warning. If it happens again, Mike Smith's parents get a phone call or he gets detention or suspension or what-not.  (I'm crafting examples in my head without knowing whether your students are K-12,  University, whatever - obviously modify these suggestions in an age-level appropriate fashion.)

Basically there isn't a technical measure in the world that's going to prevent someone from being intentionally malicious - but you're in a unique position of power in that the malicious users are at least -somewhat- under your control, rather than being a random hacker from Romania or China who is acting completely outside of any bounds of responsibility.

Author Comment

ID: 18780714
We have hundreds of student laptops on mobile carts and we use DHCP, so tracking down the student who might have been using a particular laptop at a particular time is more effort than I have time for. I understand about AUP and all that. I just need a technical answer about forest trusts.

LVL 30

Accepted Solution

LauraEHunterMVP earned 250 total points
ID: 18780783
Hmmmm.  The good news?  I think I found a way for you to hide the domain drop-down entirely.

The bad news?  It involves a registry hack on the client-side, which probably wouldn't be feasible for you from an implementation standpoint.  (Unless your student laptops are AD-joined, in which case you can obviously deploy it via GP.)

This solution will also necessitate a behaviour/training change for your students as it will disable the domain drop-down box -entirely-; students will be forced to log in at all times using their "" UPN name.

A. To remove the domain drop-down list from the logon screen and force users to use their full user principal name (UPN), perform these steps:

Start the registry editor (regedit.exe).
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey.
From the Edit menu, select New, DWORD value.
Enter a name of NoDomainUI and press Enter.
Double-click the new value and set it to 1. Click OK.
Reboot the machine.


Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question