Authenticate as user from one domain to another

Posted on 2009-07-09
Last Modified: 2013-11-25
Hi All,
Really struggling (on a live system). We have had PCOUNTER and new network printers installed over the last few days on a domain STUDENTS this allows monitoring of print work etc and is working fine. However the people before us created a second domain called BUSINESS that also need access to these printers.

The printers are shared off a server called VIPER (on the STUDENTS domain) which we can connect to from the BUSINESS domain, however when we try and install the printers as a BUSINESS user we get the "Policy controls do not permit, blah blah"

So far the only way we have got it to print is by connecting to VIPER as an admin, then getting the printer installed, the problem is that then the admin account gets billed for the printing, even if we log off and log back in as a user. I have even set the print security to everyone but it still requires authentication.

If I were to run a VBS script at logon to connect the printer, how could I ensure this authentication between the two domains without using generic IDs and preferably without setting up network maps to VIPER on 80 BUSINESS users machines?

Many thanks in advance, proper headscratcher for me atm.
Question by:Ned Ramsay
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 18

Expert Comment

ID: 24814377
Have you established the trust between the STUDENTS and BUSINESS domain? Trust is needed when you need to share resources between domains. Unless you are using Internet Printing method which everyone group will allow non domain users to connect to shared network printers.

Author Comment

by:Ned Ramsay
ID: 24815098
There are no trusts between domains, this is the problem, I have taken over from a complete idiot of an IT manager!

Author Comment

by:Ned Ramsay
ID: 24815186
Does anyone have a step by step guide to setting up trusts between domains?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 18

Expert Comment

ID: 24815641
What version of domains are you running? win2k, win2k3, or win2k8?
Here's an example to create a two-way trust(Assuming you can manage both Domain A & B):
Run Active Directory Domains and Trusts->Right Click on the Domain  and select Properties Then click the "Trusts" tab. Then click on New Trust. Provide DNS or NetBIOS name of other domain(DomainB). Here you need an "incoming trusts". If no other specific restriction, do forest trust. When done, you should have DomainB listed on the bottom box of the "Domains that trust this domain(incoming trusts)"

Do the same but the opposite of the above.
LVL 18

Expert Comment

ID: 24815705
Sorry I have provided you the one-way trust.
Here's the steps for two-way trust:
Scenarios, just an example:
DOMAIN-1--Domain Functional Level and Forest Functional Level is Windows Server 2003
Domain-2--Domain Functional Level is Windows Server 2003 and Forest Functional Level is Windows Server 2003

Note: you can start either on Domain1 or Domain2, the order of creation for the trust doesn't matter.
New Trust-->DNS or NetBIOS name of other domain-->External Trust-->Two-Way-->This Domain only-->Domain-Wide Authentication-->Trust Password-->No Need to confirm any trust at the moment

New Trust-->DNS or NetBIOS name of other domain-->Two-Way-->This Domain only--> Domain-Wide Authentication-->Trust Password-->No Need to confirm any trust at the moment

Note: Domain-Wide authentication above is just an example, you can also do selective authentication. But Domain-wide authentication should be used if you manage both domains.
LVL 18

Accepted Solution

Americom earned 500 total points
ID: 24815720
More info:
One-way trust--If a one way trust from DomainA trusts-->Domain B. Users in DomainB will be able to access resources(like printer) in DomainA since DomainA is the trusting domain which trusts DomainB, meaning allow DomainB users to access their resources. DomainB then considered the trusted domain as being trusted by DomainA. When Users from DomainA hit "ctrl+Alt+Del" there will be two Domains that they can select to logon from, Which is DomainA and DomainB. This is because when a UserB using a computer that is a member of DomainA, he/she will be able to use the account UserB to logon to DomainB from a computer in DomainA. This computer is considered one type of the resources in addition to web services, file and print services etc.  However, Users in DomainA will not have these available. Like a UserA cannot use a computer which is a member of DomainB to logon to DomainA as the option is not available due to the type of trust, one-way trust from DomainA to DomainB.

Two-Way trust--DomainA trusts DomainB and DomainB also trusts DmainA. This will allow users in both domains to be able to access resources in each other's domain.
LVL 18

Expert Comment

ID: 24815732
BTW, before you create the turst above, you need to make sure firewall is opened between the two domain.

Author Comment

by:Ned Ramsay
ID: 24821291
Thanks Americom, ill let you know how I get on.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question