Help tweeking Forest trust

Hi everyone, here is the scenario that I am having problems with:

There are two seperate forests with domains, coffee (internal) and cola 
(external).  I can set cola up with a one way outgoing trust so that the 
coffee people can access all the cola files that I grant them rights to 
(which is perfect) and cola doesn't seem to be able to get out into coffee 
(so that seems to be working great).   I set it up this way as I wanted a 
complete security boundry between the two networks, but still with the above 
clause.

However, I have noticed that as an option under the 'Log on to:' box on the 
cola computers 'coffee' now comes up as a domain option which is a problem. 
Users that are on coffee use pretty simple passwords (even after all the 
user education sessions!) and forcing them to be complex will probably end 
up with me being lynched or out of a job.

Is there a way that I can tighten the trust furthur so that coffee can get 
to all the files on cola without that coffee domain being shown as an option 
on the cola machines?

Currently coffee is a trial so I can build/destroy that at will.  Cola is in 
production so I can't play with that too much.


Coffee.com
Internal domain - trusted
1x DC
lots of office type workstations


Cola.com -> Trusts coffee
External domain
2x DC's
Large collection of terminal servers
Rouge users + hackers log on here


Thanks for your ideas :)
Murray 


0
MBN
4/15/2010 4:47:17 AM
windows.server.active_director 902 articles. 0 followers. Follow

4 Replies
557 Views

Similar Articles

[PageSpeed] 1

Oops.

Forgot to mention all servers are 2003 and domain level is 2003 +




"MBN" <mbn@com.au> wrote in message 
news:enVN6aF3KHA.556@TK2MSFTNGP04.phx.gbl...
> Hi everyone, here is the scenario that I am having problems with:
>
> There are two seperate forests with domains, coffee (internal) and cola 
> (external).  I can set cola up with a one way outgoing trust so that the 
> coffee people can access all the cola files that I grant them rights to 
> (which is perfect) and cola doesn't seem to be able to get out into coffee 
> (so that seems to be working great).   I set it up this way as I wanted a 
> complete security boundry between the two networks, but still with the 
> above clause.
>
> However, I have noticed that as an option under the 'Log on to:' box on 
> the cola computers 'coffee' now comes up as a domain option which is a 
> problem. Users that are on coffee use pretty simple passwords (even after 
> all the user education sessions!) and forcing them to be complex will 
> probably end up with me being lynched or out of a job.
>
> Is there a way that I can tighten the trust furthur so that coffee can get 
> to all the files on cola without that coffee domain being shown as an 
> option on the cola machines?
>
> Currently coffee is a trial so I can build/destroy that at will.  Cola is 
> in production so I can't play with that too much.
>
>
> Coffee.com
> Internal domain - trusted
> 1x DC
> lots of office type workstations
>
>
> Cola.com -> Trusts coffee
> External domain
> 2x DC's
> Large collection of terminal servers
> Rouge users + hackers log on here
>
>
> Thanks for your ideas :)
> Murray
> 


0
MBN
4/15/2010 4:53:25 AM
You didn't mention if you are using 2003 or 2008 but I have to assume you 
are using 2003.  The drop down list list will contain all domains within its 
forest and the root domain from the trusted forest.

http://blogs.technet.com/ad/archive/2008/01/04/the-domain-logon-dialogue.aspx

As far as passwords are concerned, think about using a third party password 
managaer such as Password Policy Enforcer (Anixis) it isn't free but it is 
reasonably priced.  If you were using 2008 or 2008 R2 you could use the Fine 
Grained Password Policy.

-- 
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups.  This
posting is provided "AS IS" with no warranties and confers no rights.
"MBN" <mbn@com.au> wrote in message 
news:enVN6aF3KHA.556@TK2MSFTNGP04.phx.gbl...
> Hi everyone, here is the scenario that I am having problems with:
>
> There are two seperate forests with domains, coffee (internal) and cola 
> (external).  I can set cola up with a one way outgoing trust so that the 
> coffee people can access all the cola files that I grant them rights to 
> (which is perfect) and cola doesn't seem to be able to get out into coffee 
> (so that seems to be working great).   I set it up this way as I wanted a 
> complete security boundry between the two networks, but still with the 
> above clause.
>
> However, I have noticed that as an option under the 'Log on to:' box on 
> the cola computers 'coffee' now comes up as a domain option which is a 
> problem. Users that are on coffee use pretty simple passwords (even after 
> all the user education sessions!) and forcing them to be complex will 
> probably end up with me being lynched or out of a job.
>
> Is there a way that I can tighten the trust furthur so that coffee can get 
> to all the files on cola without that coffee domain being shown as an 
> option on the cola machines?
>
> Currently coffee is a trial so I can build/destroy that at will.  Cola is 
> in production so I can't play with that too much.
>
>
> Coffee.com
> Internal domain - trusted
> 1x DC
> lots of office type workstations
>
>
> Cola.com -> Trusts coffee
> External domain
> 2x DC's
> Large collection of terminal servers
> Rouge users + hackers log on here
>
>
> Thanks for your ideas :)
> Murray
> 


0
Paul
4/15/2010 12:23:05 PM
Hi Paul,

Thank you for helping out, those articles were good.

For the moment I think I will remove the trust and just make some generic 
user accounts so that the other users can access the files which can be part 
of the login script.


Murray


"Paul Bergson [MVP-DS]" <pbbergs@no-spam.msn.com> wrote in message 
news:exwunZJ3KHA.4540@TK2MSFTNGP04.phx.gbl...
> You didn't mention if you are using 2003 or 2008 but I have to assume you 
> are using 2003.  The drop down list list will contain all domains within 
> its forest and the root domain from the trusted forest.
>
> http://blogs.technet.com/ad/archive/2008/01/04/the-domain-logon-dialogue.aspx
>
> As far as passwords are concerned, think about using a third party 
> password managaer such as Password Policy Enforcer (Anixis) it isn't free 
> but it is reasonably priced.  If you were using 2008 or 2008 R2 you could 
> use the Fine Grained Password Policy.
>
> -- 
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups.  This
> posting is provided "AS IS" with no warranties and confers no rights.
> "MBN" <mbn@com.au> wrote in message 
> news:enVN6aF3KHA.556@TK2MSFTNGP04.phx.gbl...
>> Hi everyone, here is the scenario that I am having problems with:
>>
>> There are two seperate forests with domains, coffee (internal) and cola 
>> (external).  I can set cola up with a one way outgoing trust so that the 
>> coffee people can access all the cola files that I grant them rights to 
>> (which is perfect) and cola doesn't seem to be able to get out into 
>> coffee (so that seems to be working great).   I set it up this way as I 
>> wanted a complete security boundry between the two networks, but still 
>> with the above clause.
>>
>> However, I have noticed that as an option under the 'Log on to:' box on 
>> the cola computers 'coffee' now comes up as a domain option which is a 
>> problem. Users that are on coffee use pretty simple passwords (even after 
>> all the user education sessions!) and forcing them to be complex will 
>> probably end up with me being lynched or out of a job.
>>
>> Is there a way that I can tighten the trust furthur so that coffee can 
>> get to all the files on cola without that coffee domain being shown as an 
>> option on the cola machines?
>>
>> Currently coffee is a trial so I can build/destroy that at will.  Cola is 
>> in production so I can't play with that too much.
>>
>>
>> Coffee.com
>> Internal domain - trusted
>> 1x DC
>> lots of office type workstations
>>
>>
>> Cola.com -> Trusts coffee
>> External domain
>> 2x DC's
>> Large collection of terminal servers
>> Rouge users + hackers log on here
>>
>>
>> Thanks for your ideas :)
>> Murray
>>
>
> 


0
MBN
4/16/2010 2:34:50 AM
Best Way to safeguard what you're looking for is to go into group policy into 
"cola" and verify the "Log On To" permissions for the workstations.  If "Log 
On To" holds something like Domain Users for Cola, then the Coffee users will 
not be able to log onto the stations despite having "Coffee" available in the 
drop down box.

"MBN" wrote:

> Hi everyone, here is the scenario that I am having problems with:
> 
> There are two seperate forests with domains, coffee (internal) and cola 
> (external).  I can set cola up with a one way outgoing trust so that the 
> coffee people can access all the cola files that I grant them rights to 
> (which is perfect) and cola doesn't seem to be able to get out into coffee 
> (so that seems to be working great).   I set it up this way as I wanted a 
> complete security boundry between the two networks, but still with the above 
> clause.
> 
> However, I have noticed that as an option under the 'Log on to:' box on the 
> cola computers 'coffee' now comes up as a domain option which is a problem. 
> Users that are on coffee use pretty simple passwords (even after all the 
> user education sessions!) and forcing them to be complex will probably end 
> up with me being lynched or out of a job.
> 
> Is there a way that I can tighten the trust furthur so that coffee can get 
> to all the files on cola without that coffee domain being shown as an option 
> on the cola machines?
> 
> Currently coffee is a trial so I can build/destroy that at will.  Cola is in 
> production so I can't play with that too much.
> 
> 
> Coffee.com
> Internal domain - trusted
> 1x DC
> lots of office type workstations
> 
> 
> Cola.com -> Trusts coffee
> External domain
> 2x DC's
> Large collection of terminal servers
> Rouge users + hackers log on here
> 
> 
> Thanks for your ideas :)
> Murray 
> 
> 
> .
> 
0
Utf
4/23/2010 8:43:01 PM
Reply:

Similar Artilces:

Newbi needs a very small help, thank you very much.
Newbi needs a very small help, thank you very much. Hello everyone and thank you very much for your time. I Have a small db for invoicing and on my form (with a subform) there is a CANCEL button which will just cancel what had been selected or entered in the form ... here is the code behind the cancel button... Private Sub Cancel_Click() Me![BillsFormSub].Form.Refresh DoCmd.SetWarnings False DoCmd.DoMenuItem acFormBar, acEditMenu, 8, , acMenuVer70 DoCmd.DoMenuItem acFormBar, acEditMenu, 6, , acMenuVer70 DoCmd.SetWarnings True Exit_Cancel_Click: Exit Sub End Sub This was working ...

IMC Auto Stop (Urgent Help)
Dear , I am using a Exchange 5.5 Sp 4 on Window 2000 SP 4 And My Exchange IMC Auto Stop. I found below Event Log on My Server Any one know what is it Mean and how to Fix it . Thanks A lot Sean Source : MSExchangeIMC Category : Internal Processing Event ID : 4037 Description The application, USA\MSEXCIMC.exe, generated an application error The error occurred on 11/14/2003 @ 17:30:56.896 The exception generated was c0000005 at address 00443AE1 (CMessageInstance::RetryAllRecipients) Source : DrWartson Category : None Event ID : 4097 Description The application, USA\MSEXCIMC.exe, generated ...

IF problems, PLEASE HELP!!! #2
Thanks for the help!!!! But it has an error :rolleyes: It says there is an error and then highlights "getting there". An ideas -- ryangruh ----------------------------------------------------------------------- ryangruhn's Profile: http://www.excelforum.com/member.php?action=getinfo&userid=1603 View this thread: http://www.excelforum.com/showthread.php?threadid=27497 ...

Help Desk Read Only Administration
How can I give our help desk the ability to: 1. View mail queue 2. View mailbox sizes, limits 3. Not give them the ability to midify storage limits - this is given with a simple admin console install - not good! I assigned the view only delegation but have found its not granular enough. Per a tech net article, it seems I may have to manually assign all these rights? "In some cases, the Exchange Administration Delegation Wizard does not provide enough granularity for assigning security permissions. Therefore, for individual objects within Exchange, you can modify the settings on th...

Help simplifying a SUMPRODUCT formula
The following SUMPRODUCT formula produces the correct results but I'm reasonably certain that there must be a more efficient way of constructing the formula. There are basically two components to this formula separated by the + sign. Each component performs the same calculation: the first part for Class="MS" and the second part (after the +) for Class="MSTV". Isn't there a way to construct the formula so that it would be calculated for Class="MS" OR Class="MSTV" and eliminate the need for two steps? I tried to incorporate the OR formula wi...

Help with POP account downloading headers only
Hi hoping that someone can help with this. I have an Outlook/Exchange (2000) client configuration which includes several POP accounts. If the POP accounts are configured to download headers only, what happens to the mail on the POP server? Presumably I can click a header and the rest of the message is downloaded, but what happens to the messages for headers that I never open - do they stay on the POP server for ever? All of the POP accounts are configured to NOT leave mail on the server (or does that option automatically change if I download headers only?). If I delete message ...

help with goal seek
Hi all, I have been using goal seek to solve for the input value to my equation. my problem is that I have 100 instances to solve. column B are the desired values, column C are the input values. column D is the result of my calculation applied to the column C values column E is the difference between B and D. I've thought I could use a macro to do this, but it looks to me like macros only accept absolute references. can anyone help me on how to understand this? so as not to seem lazy, I have already searched for an answer to this without success. Maybe I am not using the correct termin...

Help With an Excel Formula
I am in excel and I have the following formula = Q:26 typed into Cell C:2. What I want to do is have a second cell D:2 that takes what ever cell reference I enter into C:2 and adds 1 row to it. So cell D:2 would be equal to Q:27, which is 1 row down from row Q:26. Is there a way to do this? Not possible unless you use an add-in or user define function that reads the text of the formula in C2 D McRitchie has UDF for that http://www.mvps.org/dmcritchie/excel/formula.htm then you could use =OFFSET(INDIRECT(SUBSTITUTE(getformula(C2),"=","")),1,) Regards, Peo Sjobl...

conditional formatting help please
greetings......i have a row in which if say a4 contains the word help, then all that row is in red text, othewise it is in black text a1 a2 a3 a4 a4 dept author title help low so that if a4 says help..... help me or help now etc....... the whole row is red thanks in advance K Hello 1. Select row 4 and choose Format > Conditional formatting 2. Choose "Formula is" and enter this formula: =SEARCH("help",$A$4) It's imperative that A4 is absolute (contain $$). If not, it will change through the...

Help with Ask fields in Word 2007
I have a word template that I have created. I am going to be distributing this document internationally and don't want to have to manage change controls on multiple documents. Since we decided against using an Infopath form via forms services I had to scale back on the functionality in a few areas such as repeating rows and fields. That being said, I can't figure out how to accomplish something that should be rather simple. I need to ask the user to enter their region when the form template is first opened, display it in the footer. I can't figure out how to on...

Formula help needed
Can someone help me to shorten this formula, it slows down my computer so it takes ages to recalculate the sheet when I enter something in it. It is used to calculate time, basic formula (A2-A1+(A2<A1)) from C Pearsson�s site OFFSET(INDEX(Tid3;MATCH(A8&1;Feb!$A$9:$A$250&Feb!$B$9:$B$250;0);MATCH(Feb!$C $8;Feb!$A$8:$D$8;0);1);1;0)-INDEX(Tid3;MATCH(A8&1;Feb!$A$9:$A$250&Feb!$B$9:$ B$250;0);MATCH(Feb!$C$8;Feb!$A$8:$D$8;0);1)+(OFFSET(MATCH(Tid3;PASSA(A8&1;Fe b!$A$9:$A$250&Feb!$B$9:$B$250;0);MATCH(Feb!$C$8;Feb!$A$8:$D$8;0);1);1;0)<IND EX(Tid3;MATCH(A8&1;Feb!$A$9:$A$...

Data Analysis help?
Hi all, I've got some time series data which is approximately constant for awhile, and then drops off as -(a exp(b x)). Is there a way I can have Excel help me to determine what the "best" place to consider the constant section as stopping and the exponential section as beginning? It should be straighforward to determine the exponenetial's parameters after that. Thanks for any ideas, cdj Rather than considering the range as the spline of two separate processes, can you construct a single mathematical model that covers both parts of your data? If it is possible, then...

For the love of God, Please help me
I am trying to import data FROM an excel file (worsheet) into another database, but it keeps importing all the BLANK rows and columns - thousands of them. How do I just import the data entry? PLEASE, PLEASE help me! :-/ thanks. Clean up your worksheet, AWA. See: http://www.officearticles.com/excel/clean_up_your_worksheet_in_microsoft_excel.htm ************ Anne Troy www.OfficeArticles.com "AWA" <AWA@discussions.microsoft.com> wrote in message news:48218332-6E7D-4AB7-B0C1-46EC13E26515@microsoft.com... >I am trying to import data FROM an excel file (worsheet) into ano...

I want cells to show green if <10% and red if>10%. please help
I am trying to make cells show a green background if the result is less than 10 and a red background if the result is grater than 10 I am relatively new to Excel and although I have spent some time trying I cant work this one out. Pleas Help! First select and highlight the cell(s) you want to use. Format > Conditional Formatting > Select "Cell value is" "Less than or equal to" ".1" (place decimal point one in the selection) Now click the "Format" button and select the "Pattern" tab and select your shade of green. Now click the &...

FORMULAS please help
Hi there I am trying to create a formula that refences <> numbers in a columm then adds up the from a different columm i.e add b1:b100 only if a1:a100 is >10000 <12000 =46 a b 10000 32 9000 64 12001 86 11999 14 9990 12 One way =SUMPRODUCT(--(A1:A100>10000),--(A1:A10000<12000),B1:B10000) Regards, Peo sjoblom boogie wrote: > Hi there > I am trying to create a formula that refences <> numbers in a columm then > adds up the from a different columm > i.e add b1:b1...

Help with Display Setting
Hi All, I designed an Excel Spreadsheet that not only contains programmed dropdowns and checkboxes, but other text line fill ins that cannot be resized due to the current design. Because of the structure, I’m now running into problems with certain users in regards to their Display setting of 120 DPI vs. the traditional 96 DPI. When I originally developed this, I set the spreadsheet to function at 100% Zoom level based on the assumption all users were set to 96 DPI. All of the checkboxes and fill ins are dependant on this setting. Without this size, the viewing screen is decreased and s...

Character Map Help
Using Character Map, I can copy and paste a "Black Up-Pointing Triangle" (Arial, U+25B2) into the caption of label control. How can I paste this character in VBA? Patrick =-=-=-=-=-=-=-=-=-=-=-=-=- Patrick Jackman Vancouver, BC "Patrick Jackman" <pjackman at wimsey no spam com> wrote in message news:e8B0ApXZKHA.1592@TK2MSFTNGP06.phx.gbl... > Using Character Map, I can copy and paste a "Black Up-Pointing Triangle" > (Arial, U+25B2) into the caption of label control. How can I paste this > character in VBA? It's a doub...

Help! Can't import Sent Folder from Yahoo
Hi. I was setting up Outlook 2000 when it suddenly began importing all of my messages from the inbox folder of my Yahoo account, some 700 in all. I panicked when I saw it was starting to erase the messages from Yahoo so stopped the process. Now I can't figure out a way to import the messages from my Sent Folder in Yahoo into Outlook. When I archived them and zipped them per Yahoo instructions and dragged the unzipped msgs into Outlook, when I tried to click on a message, it was opened up (or attempted to) in Outlook Express. Does anyone have insight on this?? Thanks. Try YahooPOP...

Need help! Please....formatting?
I have a list of music that I have imported from I-tunes. The info includes the BPM's (beats per minute). The C Column which has the #'s representing the BPM's.....I would like format it in ascending order. Lowest BPM to the Highest. Can I do this and how? Any help would be appreciated. Chris Hi, Assuming you have one header row, select all cells (Ctrl + A), got Data --> Sort, select Column C (or data heading), ensure Ascending i selected, press Ok. HT -- firefyt ----------------------------------------------------------------------- firefytr's Profile: http:...

Help. I cannot upgrade Outlook.Keeps saying it cannot open folders
I am trying to upgrade to Office Professional. All programs seem to be working except Outlook. It will not open. I get a message that it cannot open default folders. Dan <Dan@discussions.microsoft.com> wrote: > I am trying to upgrade to Office Professional. All programs seem to be > working except Outlook. It will not open. I get a message that it > cannot open default folders. It appears you haven't set up your mail profile properly. Control Panel>Mail -- Brian Tillman ...

Help, need 64-bit disk or advice . . .
Greetings all, I attended a Microsoft event, and received a free copy of Windows Vista Ultimate Not For Resale. I had to visit a Microsoft site to obtain my key. The key is good for both 32-bit and 64-bit installs. I have the key, and I have the 32-bit install DVD. But I did not install the Vista 32-bit version on my machine. I installed a 64-bit version of Vista Ultimate using my provided key. All worked well for many months. But then my system started acting up. Games would not remember where they lift off, and Texas Hold'em quite working entirely. And when SP2 came along a...

Queue Help
I'm a new Exchange Admin and not really up to speed yet. I'm running a single Exchange 2003 SP2 box with an OS of Server 2003. I have 1 store with a couple hundred mailboxes. I have relaying turned off and am not logging any 1709, 1710, 7004 or 4001 events in the Application log, but I still have about 12 messages in my SMTP queue that are waiting to go out to wvsom.edu. None of the messages are from any of my users and are SPAM from various other sources. It says that the connection was dropped by the remote host. I'm worried that I'm relaying SPAM and don't k...

vlookup help
Hi everyone here is an example of what the massive data looks like A (sheet 1) B(sheet 1) A(sheet 2) B(sheet 2) store states store states 1 - 4 MN 2 - 3 TX 3 - 1 CA 4 - 2 SD 5 - 6 MI 6 - 5 AL What I want to do is to match the store# from column A (sheet 1) with...

Help, Exchange Crashed.
Sometime around 1:00 PM today my Exchange 2003 SP2 active/passive cluster server failed over to the other node causing a brief outage. I was out to lunch at the time, so am now trying to pick up the pieces. There is absolutely nothing in the Application or System logs that suggests why it failed over. The first error that is logged is one telling me that my backup failed because the failover was already in progress. Is there any other way to troubleshoot this? if it failed over, I wouldn't say it "crashed"...all resources are online on the node that's active now? ...

help me use less memory!
I've got a problem. I load a huge datatable, with 111 columns. This datatable runs a System.OutOfMemory exception if its bigger than about 280,000 rows. that's fine. I've come to accept that. when I fill a datatable up to near its max limit of 280k rows, use of program memory goes from about 100 MB, to 1 GIG! that's also fine. I don't really have much choice there. but then I go through a loop like this: //dtResults is the HUGE datatable. //I clone the datatable a few times. this makes new datatables //with the same columns. DataTable dtRejected...