Wireless Networks Thread, Domain Trusts, just a quick question. . . in Technical; I've briefly played with this in the past at another school when we had a separate Admin and Curriculum Domain, ...
21st July 2008, 04:18 PM #1
Domain Trusts, just a quick question. . .
I've briefly played with this in the past at another school when we had a separate Admin and Curriculum Domain, and I seem to remember it adds the other networks domain name to the logon box, obviously allowing the workstation to be logged onto either domain.
Now I don't want it to do this, as we want to trust the domains between two schools through our LEA grid, but only so we can map a server resource from the other school, and run a specific piece of software on both sites from the same server. Is there anyway of trusting domains with each other but it not adding the other schools domain to the 'domains' box?? That way the kids can't fiddle and try to log onto the other schools domain.
Any hints or other ideas appreciated.
21st July 2008, 04:21 PM #2
I’m not sure how to get rid of it but you could set a group policy setting to only allow domain users on your domain to log onto your computers. This will stop the students account sharing with other users from other school also you can stop them logging onto the admin network if you wanted. Just set the groups accordingly.
Edit: just to add, do you know that users who are enterprise admins on the other domain from the other school can play with your AD and group policies etc.
Last edited by FN-GM; 21st July 2008 at 04:26 PM.
21st July 2008, 06:06 PM #3
Yes I'm aware of that, not keen on the idea, but I can't see any other way round it. Basically the other school handle our finances for us, as we're quite a small school and have only recently become an academy. We have very close working links, our principal is also the principal of the other academy as well, but we are still regarded as a seperate school in all other respects. We have to send them purchase orders manually at the moment, which results in long delays while things are processed, and a fair number of mistakes along the way.
Originally Posted by FN-Greatermanchester
From September they want us to have direct access to the finance system hosted in their school so we can process our own orders and manage the finances ourselves. It must be done on this finance system, we can't set up our own at this stage for various reasons. The only way I can think of giving access properly is if we can directly access their server hosting the program, which would need a trust between the two domains.
Unless anyone has any better ideas for me? Terminal services is already ruled out, we already have this for basic access to the system, but it's to 'clunky' to be useful, and people get confused working on two different desktops for different tasks. Our business manager wants to be able to run the program on our workstations properly, but have it talk to the backend at the other school.
21st July 2008, 07:57 PM #4
Is the finance package FMS? and is it FMS with SQL 2005? If so - maybe (and it's a big maybe) you won't need a trust. It's SQL based so no direct access to disks are required, but the ports would have to be opened across the grid.
Security is an issue and also the location of the LockDir normally on your SIMS drive may be an issue (yup - it's still used in FMS SQL 2005!)
I'd suggest running it past your LEA for advice.
22nd July 2008, 12:07 AM #5
I can understand your irritation at the extra domain appearing in the logon box, but TBH, if the kids want to hack the admin domain, it will be the security settings that stops them, not the fact that the domain is not immediately visible. Even without a trust, there is nothing to stop them making connections to the other domain by entering a UNC path (unless of course they are so locked down that they cannot move). Assuming you have strong, regularly changed passwords on the admin domain, then you have nothing to worry about. Group policy can enforce a decent password policy for you.
22nd July 2008, 12:21 AM #6
It's not FMS, it's another finance package (can't recall the name of it now) but here's hoping it may be SQL based, as that would solve all my problems! I could probably have it installed locally on my own servers but communicating with the SQL server hosted at the other school, I didn't think about doing it that way!
Originally Posted by metalmonkey
I've got a meeting with the ICT manager and finance manager from the other academy later this month, so I'll get to see this package then, and be able to see how it works.
22nd July 2008, 12:33 AM #7
What you need is a 1 way trust.
School A holds the resource
School B wants access via the trust.
You set-up the trust so that school A trusts School B to authenticate and access the resource. Users at A already have access.
You then could create a group called domaintrust on B. You add this group to a group on A called domaintrust. You allow this group to access the Data.
You create a policy on A to deny local logon to domaintrust and apply it to your workstations. Users will then be able to access the data as part of the trust but will not be able to logon at the site due to the logon policy.
That is how I have configured it previously, and it does work rather well.
By chrbb in forum EduGeek Joomla 1.0 Package
Last Post: 4th May 2008, 01:40 PM
By Hedghog in forum Windows
Last Post: 4th November 2007, 09:15 PM
By PEO in forum How do you do....it?
Last Post: 26th October 2007, 06:30 PM
By Elky in forum General Chat
Last Post: 29th June 2007, 11:14 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)