Two-way forest trust logons

Posted on 2007-03-23
Medium Priority
Last Modified: 2012-08-14
I have two Windows2003 servers running ActiveDirectory, that for historical reasons, each have their own Forest. TeacherDomain (the forest root on one server) currently owns all of the network printers and is configured as a MediaServer. StudentDomain is a forest root on the other server. We want to have certain groups of students be able to access certain network printers and also use the media streaming capability of the TeacherDomain. Also, we want teachers to be able to access the NAS device that students currently use on the StudentDomain for their student portfolios. From the Microsoft documentation, it appears that setting up a two-way ForestTrust gives me the capabilities that I need. However, on the student laptops that are connected to the StudentDomain, the administration does not want the DomainList on the logon screen to include domains that are on the TeacherDomain. That is, they want to keep the separation that students logon to student machines and teachers logon to teacher machines. I don't know how the Domain List on the logon page is generated. If I create a two-way ForestTrust, will student machines now be able to logon to the TeacherDomain? I think they are concerned about a student selecting the TeacherDomain, typing in a teacher's logon name and trying to break the password and getting access to gradebooks.
Question by:oaklandteacher
  • 3
  • 2
LVL 30

Expert Comment

ID: 18780178
If you create a trust relationship, both domains will show up in the drop-down box on login, yes.  (There -may- be a third-party tool that can alter this behaviour, but I'm not aware of one.)  The alternative would be to leave the forests untrusted and create a second account for students who need to access the teacher domain, but that doesn't buy you much for two reasons:

[1] Managing password synchronization between the domains without a trust relationship will be a royal pain.

[2] Not being able to see the forest name in a drop-down box isn't going to stop a malicious and determined student (read: "hacker") from attempting to do password-guessing against the teacher domain - to believe otherwise is (I think, at least) a tragic underestimation of the computer-savviness of the average American student.

If users in ForestB need access to resources in ForestA the most effective way to do that is going to be via a trust relationship; it is then up to the administrators of ForestA to establish sufficient security controls to prevent unintended disclosure of resources. There are any number of tools that you can use to assist in this - Group Policy, Server & Domain Isolation, two-factor authentication for teachers...it largely depends on how much time, money, training and effort you're willing to throw at the problem of security.

Author Comment

ID: 18780295
I know that a malicious student isn't going to be deterred, but there are a lot of kids who will play password guessing if the dropdown includes the TeacherDomain. Plus they know that if they deliberately type in the wrong password enough times, it will temporarily disable the teacher's account (unless I change the default Group Policy).
If I move all of the network printers from the teacher domain to the top of the student domain and then establish a one-way trust, will that enable groups of students and groups of teachers to access the printers and the NAS without the TeacherDomain showing up on student laptops? I will still have to figure out how to give student access to MediaStreaming.
LVL 30

Expert Comment

ID: 18780447
I don't have any one-way trusts in front of me that I can verify this against right now, but I believe that even one-way trusts will still populate the drop-down box in that scenario.  (You can obviously configure the one-way trust as a test measure and log onto a teacher/student computer to confirm.)

This unfortunately sounds as though you are attempting to create a silicon-based solution for a carbon-based problem, which is almost always a quest doomed from the start.  Does your organization have an Acceptable Use Policy, and does that AUP include a section about attempts to steal/abuse other users' passwords?  If you don't have one, write one. If you do have one, it's time to start enforcing. If the laptop with an IP that's registered to student Mike Smith logs twenty failed logons in a row against a teacher account, Mike Smith gets a warning. If it happens again, Mike Smith's parents get a phone call or he gets detention or suspension or what-not.  (I'm crafting examples in my head without knowing whether your students are K-12,  University, whatever - obviously modify these suggestions in an age-level appropriate fashion.)

Basically there isn't a technical measure in the world that's going to prevent someone from being intentionally malicious - but you're in a unique position of power in that the malicious users are at least -somewhat- under your control, rather than being a random hacker from Romania or China who is acting completely outside of any bounds of responsibility.

Author Comment

ID: 18780714
We have hundreds of student laptops on mobile carts and we use DHCP, so tracking down the student who might have been using a particular laptop at a particular time is more effort than I have time for. I understand about AUP and all that. I just need a technical answer about forest trusts.

LVL 30

Accepted Solution

LauraEHunterMVP earned 1000 total points
ID: 18780783
Hmmmm.  The good news?  I think I found a way for you to hide the domain drop-down entirely.

The bad news?  It involves a registry hack on the client-side, which probably wouldn't be feasible for you from an implementation standpoint.  (Unless your student laptops are AD-joined, in which case you can obviously deploy it via GP.)

This solution will also necessitate a behaviour/training change for your students as it will disable the domain drop-down box -entirely-; students will be forced to log in at all times using their "jsmith@oakland.edu" UPN name.

A. To remove the domain drop-down list from the logon screen and force users to use their full user principal name (UPN), perform these steps:

Start the registry editor (regedit.exe).
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey.
From the Edit menu, select New, DWORD value.
Enter a name of NoDomainUI and press Enter.
Double-click the new value and set it to 1. Click OK.
Reboot the machine.


Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question