Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Forest Trust: Restricting access to Domain in logon
Forest Trust: Restricting access to Domain in logon [message #156381] Tue, 16 June 2009 06:47 Go to next message
Rickd139  is currently offline Rickd139
Messages: 1
Registered: June 2009
Junior Member
I'm researching setting up a one way Windows 2003 forest trust between Domain
A and Domain B..

Domain B users will need to access resources in Domain A.
Both domains are at Functional level Windows Server 2003.
Users will have accounts in both domains

As I understand it Domain A will trust Domain B.
Can I prevent Domain B appearing in the Domain list on Domain A pc's. It is
imperative that users cannot logon to Domain B from Domain A PC's... (with
Domain B accounts).

Thanks in advance... I have researched this extensively

Rick
Re: Forest Trust: Restricting access to Domain in logon [message #156387 is a reply to message #156381] Tue, 16 June 2009 08:02 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Rickd139,

With a trust in place you can not remove the domain from the "logon to" drop
down menu, as far as i know.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I'm researching setting up a one way Windows 2003 forest trust between
> Domain A and Domain B..
>
> Domain B users will need to access resources in Domain A. Both domains
> are at Functional level Windows Server 2003. Users will have accounts
> in both domains
>
> As I understand it Domain A will trust Domain B.
> Can I prevent Domain B appearing in the Domain list on Domain A pc's.
> It is
> imperative that users cannot logon to Domain B from Domain A PC's...
> (with
> Domain B accounts).
> Thanks in advance... I have researched this extensively
>
> Rick
>
Re: Forest Trust: Restricting access to Domain in logon [message #156402 is a reply to message #156381] Tue, 16 June 2009 11:34 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
Yes you can, check:
http://www.pctools.com/guides/registry/detail/1027/

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Rickd139" <Rickd139@discussions.microsoft.com> wrote in message
news:F3EDBE6D-0053-4227-B32D-B8E9F148C2F6@microsoft.com...
> I'm researching setting up a one way Windows 2003 forest trust between
> Domain
> A and Domain B..
>
> Domain B users will need to access resources in Domain A.
> Both domains are at Functional level Windows Server 2003.
> Users will have accounts in both domains
>
> As I understand it Domain A will trust Domain B.
> Can I prevent Domain B appearing in the Domain list on Domain A pc's. It
> is
> imperative that users cannot logon to Domain B from Domain A PC's... (with
> Domain B accounts).
>
> Thanks in advance... I have researched this extensively
>
> Rick
>
>
>
Re: Forest Trust: Restricting access to Domain in logon [message #156439 is a reply to message #156402] Wed, 17 June 2009 02:36 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Jorge,

Isn't that to hide to hide the complete list, instead of one of the domain
names as i understand the OP correct?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
> Yes you can, check:
> http://www.pctools.com/guides/registry/detail/1027/
> Jorge Silva
> MVP Directory Services
> "Rickd139" <Rickd139@discussions.microsoft.com> wrote in message
> news:F3EDBE6D-0053-4227-B32D-B8E9F148C2F6@microsoft.com...
>> I'm researching setting up a one way Windows 2003 forest trust
>> between
>> Domain
>> A and Domain B..
>> Domain B users will need to access resources in Domain A. Both
>> domains are at Functional level Windows Server 2003. Users will have
>> accounts in both domains
>>
>> As I understand it Domain A will trust Domain B.
>> Can I prevent Domain B appearing in the Domain list on Domain A pc's.
>> It
>> is
>> imperative that users cannot logon to Domain B from Domain A PC's...
>> (with
>> Domain B accounts).
>> Thanks in advance... I have researched this extensively
>>
>> Rick
>>
Re: Forest Trust: Restricting access to Domain in logon [message #156457 is a reply to message #156439] Wed, 17 June 2009 11:54 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Yes, Is a ALL or NOTHING configuration.
Although does not hide a particular domain in the list, I think that can be
considered as an alternative to the "Problem".
Don't you agree?
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6627c748cbbd3de9b501a4@msnews.microsoft.com...
> Hello Jorge,
>
> Isn't that to hide to hide the complete list, instead of one of the domain
> names as i understand the OP correct?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi
>> Yes you can, check:
>> http://www.pctools.com/guides/registry/detail/1027/
>> Jorge Silva
>> MVP Directory Services
>> "Rickd139" <Rickd139@discussions.microsoft.com> wrote in message
>> news:F3EDBE6D-0053-4227-B32D-B8E9F148C2F6@microsoft.com...
>>> I'm researching setting up a one way Windows 2003 forest trust
>>> between
>>> Domain
>>> A and Domain B..
>>> Domain B users will need to access resources in Domain A. Both
>>> domains are at Functional level Windows Server 2003. Users will have
>>> accounts in both domains
>>>
>>> As I understand it Domain A will trust Domain B.
>>> Can I prevent Domain B appearing in the Domain list on Domain A pc's.
>>> It
>>> is
>>> imperative that users cannot logon to Domain B from Domain A PC's...
>>> (with
>>> Domain B accounts).
>>> Thanks in advance... I have researched this extensively
>>>
>>> Rick
>>>
>
>
Re: Forest Trust: Restricting access to Domain in logon [message #156469 is a reply to message #156457] Wed, 17 June 2009 14:45 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Jorge,

Fully agreed, just thought there is an option to remove a single entry.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Yes, Is a ALL or NOTHING configuration.
> Although does not hide a particular domain in the list, I think that
> can be
> considered as an alternative to the "Problem".
> Don't you agree?
> Jorge Silva
> MVP Directory Services
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb6627c748cbbd3de9b501a4@msnews.microsoft.com...
>> Hello Jorge,
>>
>> Isn't that to hide to hide the complete list, instead of one of the
>> domain names as i understand the OP correct?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi
>>> Yes you can, check:
>>> http://www.pctools.com/guides/registry/detail/1027/
>>> Jorge Silva
>>> MVP Directory Services
>>> "Rickd139" <Rickd139@discussions.microsoft.com> wrote in message
>>> news:F3EDBE6D-0053-4227-B32D-B8E9F148C2F6@microsoft.com...
>>>> I'm researching setting up a one way Windows 2003 forest trust
>>>> between
>>>> Domain
>>>> A and Domain B..
>>>> Domain B users will need to access resources in Domain A. Both
>>>> domains are at Functional level Windows Server 2003. Users will
>>>> have
>>>> accounts in both domains
>>>> As I understand it Domain A will trust Domain B.
>>>> Can I prevent Domain B appearing in the Domain list on Domain A
>>>> pc's.
>>>> It
>>>> is
>>>> imperative that users cannot logon to Domain B from Domain A
>>>> PC's...
>>>> (with
>>>> Domain B accounts).
>>>> Thanks in advance... I have researched this extensively
>>>> Rick
>>>>
Re: Forest Trust: Restricting access to Domain in logon [message #156523 is a reply to message #156469] Thu, 18 June 2009 14:08 Go to previous messageGo to next message
DaveMo  is currently offline DaveMo  United States
Messages: 15
Registered: September 2009
Junior Member
On Jun 17, 11:45 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
> Hello Jorge,
>
> Fully agreed, just thought there is an option to remove a single entry.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
> > Yes, Is a ALL or NOTHING configuration.
> > Although does not hide a particular domain in the list, I think that
> > can be
> > considered as an alternative to the "Problem".
> > Don't you agree?
> > Jorge Silva
> > MVP Directory Services
> > "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> >news:ff16fb6627c748cbbd3de9b501a4@msnews.microsoft.com...
> >> Hello Jorge,
>
> >> Isn't that to hide to hide the complete list, instead of one of the
> >> domain names as i understand the OP correct?
>
> >> Best regards
>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi
> >>> Yes you can, check:
> >>>http://www.pctools.com/guides/registry/detail/1027/
> >>> Jorge Silva
> >>> MVP Directory Services
> >>> "Rickd139" <Rickd...@discussions.microsoft.com> wrote in message
> >>>news:F3EDBE6D-0053-4227-B32D-B8E9F148C2F6@microsoft.com...
> >>>> I'm researching setting up a one way Windows 2003 forest trust
> >>>> between
> >>>> Domain
> >>>> A and Domain B..
> >>>> Domain B users will need to access resources in Domain A. Both
> >>>> domains are at Functional level Windows Server 2003. Users will
> >>>> have
> >>>> accounts in both domains
> >>>> As I understand it Domain A will trust Domain B.
> >>>> Can I prevent Domain B appearing in the Domain list on Domain A
> >>>> pc's.
> >>>> It
> >>>> is
> >>>> imperative that users cannot logon to Domain B from Domain A
> >>>> PC's...
> >>>> (with
> >>>> Domain B accounts).
> >>>> Thanks in advance... I have researched this extensively
> >>>> Rick- Hide quoted text -
>
> - Show quoted text -

This may hide the option in the logon screen, but it wouldn't stop the
users from being able to logon if they typed the domain B name or UPN,
right?

So this might be a good starting place, but I think you are also going
to have to setup some policies. For example, you should be able to
create a logon GP that denies interactive logon to any machine in
domain A for domain B users.

HTH,
Dave
Re: Forest Trust: Restricting access to Domain in logon [message #156551 is a reply to message #156523] Thu, 18 June 2009 20:36 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Inline
>This may hide the option in the logon screen, but it wouldn't stop the
>users from being able to logon if they typed the domain B name or UPN,
>right?

Correct, the user may use the UPN logon or the pre-windows format
"domain\username"

> So this might be a good starting place, but I think you are also going
> to have to setup some policies. For example, you should be able to
> create a logon GP that denies interactive logon to any machine in
> domain A for domain B users.

Note that are other options for trusts, you have selective authentication
where you define witch machines are accessible through the trust.
check:
http://technet.microsoft.com/en-us/library/cc787623(WS.10).aspx

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
Re: Forest Trust: Restricting access to Domain in logon [message #156733 is a reply to message #156551] Wed, 24 June 2009 10:15 Go to previous message
DaveMo  is currently offline DaveMo  United States
Messages: 15
Registered: September 2009
Junior Member
On Jun 18, 5:36 pm, "Jorge Silva" <jorgesilva...@hotmail.com> wrote:
> Inline
>
> >This may hide the option in the logon screen, but it wouldn't stop the
> >users from being able to logon if they typed the domain B name or UPN,
> >right?
>
> Correct, the user may use the UPN logon or the pre-windows format
> "domain\username"
>
> > So this might be a good starting place, but I think you are also going
> > to have to setup some policies. For example, you should be able to
> > create a logon GP that denies interactive logon to any machine in
> > domain A for domain B users.
>
> Note that are other options for trusts, you have selective authentication
> where you define witch machines are accessible through the trust.
> check:http://technet.microsoft.com/en-us/library/cc787623(WS.10).aspx
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services

I thought about selective authentication, but I don't think that gives
you the granularity to distinguish between interactive and network
logons. The basic scenario was that Domain B users will need to
perform "network" logons to reach resources in Domain A. The poster
stated that they also didn't want users to logon interactively (as
opposed to over the network) to Domain A computers with their Domain B
creds. The only way this is distinguised is by the logon type which is
why I suggested a policy that prevents "interactive" logons for
DomainB/Users.

Make sense?

Dave
Previous Topic:NPS DHCP with NAP
Next Topic:AzMan Access Rights
Goto Forum:
  


Current Time: Sat Oct 21 19:10:05 EDT 2017

Total time taken to generate the page: 0.09150 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software