+ Post New Thread
Results 1 to 7 of 7
Wireless Networks Thread, Domain Trusts, just a quick question. . . in Technical; I've briefly played with this in the past at another school when we had a separate Admin and Curriculum Domain, ...
  1. #1

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144

    Domain Trusts, just a quick question. . .

    I've briefly played with this in the past at another school when we had a separate Admin and Curriculum Domain, and I seem to remember it adds the other networks domain name to the logon box, obviously allowing the workstation to be logged onto either domain.

    Now I don't want it to do this, as we want to trust the domains between two schools through our LEA grid, but only so we can map a server resource from the other school, and run a specific piece of software on both sites from the same server. Is there anyway of trusting domains with each other but it not adding the other schools domain to the 'domains' box?? That way the kids can't fiddle and try to log onto the other schools domain.

    Any hints or other ideas appreciated.

    Mike.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,755
    Thank Post
    825
    Thanked 1,661 Times in 1,446 Posts
    Blog Entries
    11
    Rep Power
    441
    I’m not sure how to get rid of it but you could set a group policy setting to only allow domain users on your domain to log onto your computers. This will stop the students account sharing with other users from other school also you can stop them logging onto the admin network if you wanted. Just set the groups accordingly.

    Edit: just to add, do you know that users who are enterprise admins on the other domain from the other school can play with your AD and group policies etc.
    Last edited by FN-GM; 21st July 2008 at 04:26 PM.

  3. #3

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144
    Quote Originally Posted by FN-Greatermanchester View Post

    Edit: just to add, do you know that users who are enterprise admins on the other domain from the other school can play with your AD and group policies etc.
    Yes I'm aware of that, not keen on the idea, but I can't see any other way round it. Basically the other school handle our finances for us, as we're quite a small school and have only recently become an academy. We have very close working links, our principal is also the principal of the other academy as well, but we are still regarded as a seperate school in all other respects. We have to send them purchase orders manually at the moment, which results in long delays while things are processed, and a fair number of mistakes along the way.

    From September they want us to have direct access to the finance system hosted in their school so we can process our own orders and manage the finances ourselves. It must be done on this finance system, we can't set up our own at this stage for various reasons. The only way I can think of giving access properly is if we can directly access their server hosting the program, which would need a trust between the two domains.

    Unless anyone has any better ideas for me? Terminal services is already ruled out, we already have this for basic access to the system, but it's to 'clunky' to be useful, and people get confused working on two different desktops for different tasks. Our business manager wants to be able to run the program on our workstations properly, but have it talk to the backend at the other school.

    Mike

  4. #4
    metalmonkey
    Guest
    Is the finance package FMS? and is it FMS with SQL 2005? If so - maybe (and it's a big maybe) you won't need a trust. It's SQL based so no direct access to disks are required, but the ports would have to be opened across the grid.

    Security is an issue and also the location of the LockDir normally on your SIMS drive may be an issue (yup - it's still used in FMS SQL 2005!)

    I'd suggest running it past your LEA for advice.

  5. #5
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    I can understand your irritation at the extra domain appearing in the logon box, but TBH, if the kids want to hack the admin domain, it will be the security settings that stops them, not the fact that the domain is not immediately visible. Even without a trust, there is nothing to stop them making connections to the other domain by entering a UNC path (unless of course they are so locked down that they cannot move). Assuming you have strong, regularly changed passwords on the admin domain, then you have nothing to worry about. Group policy can enforce a decent password policy for you.

  6. #6

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144
    Quote Originally Posted by metalmonkey View Post
    Is the finance package FMS? and is it FMS with SQL 2005? If so - maybe (and it's a big maybe) you won't need a trust. It's SQL based so no direct access to disks are required, but the ports would have to be opened across the grid.

    Security is an issue and also the location of the LockDir normally on your SIMS drive may be an issue (yup - it's still used in FMS SQL 2005!)

    I'd suggest running it past your LEA for advice.
    It's not FMS, it's another finance package (can't recall the name of it now) but here's hoping it may be SQL based, as that would solve all my problems! I could probably have it installed locally on my own servers but communicating with the SQL server hosted at the other school, I didn't think about doing it that way!

    I've got a meeting with the ICT manager and finance manager from the other academy later this month, so I'll get to see this package then, and be able to see how it works.

    Mike.

  7. #7
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,263
    Thank Post
    8
    Thanked 296 Times in 205 Posts
    Rep Power
    98
    What you need is a 1 way trust.

    School A holds the resource

    School B wants access via the trust.

    You set-up the trust so that school A trusts School B to authenticate and access the resource. Users at A already have access.
    You then could create a group called domaintrust on B. You add this group to a group on A called domaintrust. You allow this group to access the Data.

    You create a policy on A to deny local logon to domaintrust and apply it to your workstations. Users will then be able to access the data as part of the trust but will not be able to logon at the site due to the logon policy.

    That is how I have configured it previously, and it does work rather well.

  8. Thanks to Galway from:

    maniac (22nd July 2008)

SHARE:
+ Post New Thread

Similar Threads

  1. Quick question
    By chrbb in forum EduGeek Joomla 1.0 Package
    Replies: 2
    Last Post: 4th May 2008, 01:40 PM
  2. Inter Domain Trusts -- how do you do it
    By Hedghog in forum Windows
    Replies: 5
    Last Post: 4th November 2007, 09:15 PM
  3. quick question DSADD
    By PEO in forum How do you do....it?
    Replies: 3
    Last Post: 26th October 2007, 06:30 PM
  4. Quick question
    By Elky in forum General Chat
    Replies: 1
    Last Post: 29th June 2007, 11:14 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •