+ Post New Thread
Results 1 to 3 of 3
Windows Thread, one way nontransitive trust issue in Technical; we have two domains i have created a one non-trasitive trust where the circ domain trusts the admin domain. i ...
  1. #1
    projector1's Avatar
    Join Date
    Nov 2005
    Posts
    460
    Thank Post
    70
    Thanked 1 Time in 1 Post
    Rep Power
    18

    one way nontransitive trust issue

    we have two domains
    i have created a one non-trasitive trust where the circ domain trusts the admin domain.
    i need to do this so that i could allow staff to work on a network application that was setup on the circ network. It was setup as their was alot of staff did not have laptops at the time. Now they all have a wireless admin laptop. However staff may need to log onto a circ pc and use the software. (temps, etc)

    The trust eliminates the authentication to another domain issue.

    However now on the circ pc's in the logon to box the admin domian name appears. Anyway to prevent this or will i have to remove the trust?

  2. #2
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    This is normal behaviour. As the curric domain now 'trusts' the admin domain to authenticate user accounts, admin users can potentially access resources in the curric domain and this includes logging on to the computers. I know of no way around it, but in theory you could create a startup script (or a custom policy) which sets the necessary registry settings on curric PCs to ensure the curric domain is the default entry and even to hide the 'log on to' box.

  3. Thanks to ajbritton from:

    projector1 (15th February 2008)

  4. #3
    projector1's Avatar
    Join Date
    Nov 2005
    Posts
    460
    Thank Post
    70
    Thanked 1 Time in 1 Post
    Rep Power
    18
    Quote Originally Posted by ajbritton View Post
    This is normal behaviour. As the curric domain now 'trusts' the admin domain to authenticate user accounts, admin users can potentially access resources in the curric domain and this includes logging on to the computers. I know of no way around it, but in theory you could create a startup script (or a custom policy) which sets the necessary registry settings on curric PCs to ensure the curric domain is the default entry and even to hide the 'log on to' box.

    thanks pal

    i found this on the net (did not use it and removed the trust as how secure are teacher passwords?


    I don't know of any way that you can remove a domain, why do you need to do
    this?
    If its because users log onto the incorrect domain, then you can force a
    default domain and then hide the domain list using group policy.

    Although there is no group policy setting to do this, I got around the problem
    by writing a custom ADM file which changes a couple of registry keys in:
    HKLM\Software\Microsoft\WindowsNT\CurrentVersion\W inlogon.

    The 2 keys to change are:
    ShowLogonOptions - set to 0 to hide the domain list &
    DefaultDomainList - set this to the domain you need to logon to.

    Here's a copy of the ADM file:
    ;************************************************* ***************
    ;* Custom ADM file to force specific domain to logon to. You'll *
    ;* need to also change group policy \Computer\AdminTemplates\Sy *
    ;* stem\GroupPolicy\ Enable Registry Policy Processing, and *
    ;* enable "process even if the group policy objects have not *
    ;* changed" *
    ;* Written by Gary Middleton,UK *
    ;************************************************* ***************



    CLASS MACHINE

    CATEGORY !!Logon

    POLICY !!HideDomainList
    EXPLAIN !!HideDomainList_Help
    KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
    VALUENAME ShowLogonOptions
    VALUEON NUMERIC 0 ; removes dropdown list
    VALUEOFF NUMERIC 1 ; enables dropdown list
    END POLICY

    POLICY !!DefaultDomain
    EXPLAIN !!DefaultDomain_Help
    KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
    VALUENAME DefaultDomainName
    VALUEON "DOMAINNAME" ;where DOMAINNAME is the domain you want the
    users to logon to
    VALUEOFF ""
    END POLICY


    END CATEGORY

    [strings]
    Logon="Logon Options"
    HideDomainList="Hide Domain List"
    HideDomainList_Help="Enabling this settings hides the domain list from the
    CTRL+ALT+DELETE screen.Disabling will show the domain list."
    DefaultDomain="Default Domain"
    DefaultDomain_Help="Default domain name to set to DOMAINNAME if enabled. It
    will be the default option in the drop down list at the CTRL+ALT+DELETE
    screen"


    Just cut & paste into wordpad, save
    with a .ADM extension. Load GPMC, right click administrative Tools &
    add template, find location of the saved adm file.
    To view change view\filtering from the menu with the policy loaded,
    uncheck box "only show policy settings that can be fully managed"
    You'll then be able to edit the 2 keys in your new Admin Template
    within the policy.

    Hope this helps,

    Gary Middleton.

SHARE:
+ Post New Thread

Similar Threads

  1. Trust Relationships and DeepFreeze
    By AdamWilden in forum How do you do....it?
    Replies: 6
    Last Post: 4th February 2008, 11:16 AM
  2. Logon issue and Printers issue
    By mrbios in forum Windows
    Replies: 2
    Last Post: 17th December 2007, 12:40 PM
  3. Could you trust this website?
    By PEO in forum General Chat
    Replies: 4
    Last Post: 25th November 2007, 01:34 PM
  4. Trust Help
    By Ric_ in forum Windows
    Replies: 7
    Last Post: 20th October 2005, 06:03 PM
  5. I don't trust my trusts
    By Ric_ in forum Windows
    Replies: 15
    Last Post: 12th October 2005, 01:46 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •