one way nontransitive trust issue

[projector1]

we have two domains
i have created a one non-trasitive trust where the circ domain trusts the admin domain.
i need to do this so that i could allow staff to work on a network application that was setup on the circ network. It was setup as their was alot of staff did not have laptops at the time. Now they all have a wireless admin laptop. However staff may need to log onto a circ pc and use the software. (temps, etc)

The trust eliminates the authentication to another domain issue.

However now on the circ pc's in the logon to box the admin domian name appears. Anyway to prevent this or will i have to remove the trust?

[ajbritton]

This is normal behaviour. As the curric domain now 'trusts' the admin domain to authenticate user accounts, admin users can potentially access resources in the curric domain and this includes logging on to the computers. I know of no way around it, but in theory you could create a startup script (or a custom policy) which sets the necessary registry settings on curric PCs to ensure the curric domain is the default entry and even to hide the 'log on to' box.

[projector1]

This is normal behaviour. As the curric domain now 'trusts' the admin domain to authenticate user accounts, admin users can potentially access resources in the curric domain and this includes logging on to the computers. I know of no way around it, but in theory you could create a startup script (or a custom policy) which sets the necessary registry settings on curric PCs to ensure the curric domain is the default entry and even to hide the 'log on to' box.

thanks pal

i found this on the net (did not use it and removed the trust as how secure are teacher passwords?


I don't know of any way that you can remove a domain, why do you need to do
this?
If its because users log onto the incorrect domain, then you can force a
default domain and then hide the domain list using group policy.

Although there is no group policy setting to do this, I got around the problem
by writing a custom ADM file which changes a couple of registry keys in:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\W inlogon.

The 2 keys to change are:
ShowLogonOptions - set to 0 to hide the domain list &
DefaultDomainList - set this to the domain you need to logon to.

Here's a copy of the ADM file:
;************************************************* ***************
;* Custom ADM file to force specific domain to logon to. You'll *
;* need to also change group policy \Computer\AdminTemplates\Sy *
;* stem\GroupPolicy\ Enable Registry Policy Processing, and *
;* enable "process even if the group policy objects have not *
;* changed" *
;* Written by Gary Middleton,UK *
;************************************************* ***************



CLASS MACHINE

CATEGORY !!Logon

POLICY !!HideDomainList
EXPLAIN !!HideDomainList_Help
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
VALUENAME ShowLogonOptions
VALUEON NUMERIC 0 ; removes dropdown list
VALUEOFF NUMERIC 1 ; enables dropdown list
END POLICY

POLICY !!DefaultDomain
EXPLAIN !!DefaultDomain_Help
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
VALUENAME DefaultDomainName
VALUEON "DOMAINNAME" ;where DOMAINNAME is the domain you want the
users to logon to
VALUEOFF ""
END POLICY


END CATEGORY

[strings]
Logon="Logon Options"
HideDomainList="Hide Domain List"
HideDomainList_Help="Enabling this settings hides the domain list from the
CTRL+ALT+DELETE screen.Disabling will show the domain list."
DefaultDomain="Default Domain"
DefaultDomain_Help="Default domain name to set to DOMAINNAME if enabled. It
will be the default option in the drop down list at the CTRL+ALT+DELETE
screen"


Just cut & paste into wordpad, save
with a .ADM extension. Load GPMC, right click administrative Tools &
add template, find location of the saved adm file.
To view change view\filtering from the menu with the policy loaded,
uncheck box "only show policy settings that can be fully managed"
You'll then be able to edit the 2 keys in your new Admin Template
within the policy.

Hope this helps,

Gary Middleton.