Help tweeking Forest trust

Hi everyone, here is the scenario that I am having problems with:

There are two seperate forests with domains, coffee (internal) and cola
(external). I can set cola up with a one way outgoing trust so that the
coffee people can access all the cola files that I grant them rights to
(which is perfect) and cola doesn't seem to be able to get out into coffee
(so that seems to be working great). I set it up this way as I wanted a
complete security boundry between the two networks, but still with the above
clause.

However, I have noticed that as an option under the 'Log on to:' box on the
cola computers 'coffee' now comes up as a domain option which is a problem.
Users that are on coffee use pretty simple passwords (even after all the
user education sessions!) and forcing them to be complex will probably end
up with me being lynched or out of a job.

Is there a way that I can tighten the trust furthur so that coffee can get
to all the files on cola without that coffee domain being shown as an option
on the cola machines?

Currently coffee is a trial so I can build/destroy that at will. Cola is in
production so I can't play with that too much.


Coffee.com
Internal domain - trusted
1x DC
lots of office type workstations


Cola.com -> Trusts coffee
External domain
2x DC's
Large collection of terminal servers
Rouge users + hackers log on here


Thanks for your ideas
Murray

Oops.

Forgot to mention all servers are 2003 and domain level is 2003 +




"MBN" <> wrote in message
news:...
> Hi everyone, here is the scenario that I am having problems with:
>
> There are two seperate forests with domains, coffee (internal) and cola
> (external). I can set cola up with a one way outgoing trust so that the
> coffee people can access all the cola files that I grant them rights to
> (which is perfect) and cola doesn't seem to be able to get out into coffee
> (so that seems to be working great). I set it up this way as I wanted a
> complete security boundry between the two networks, but still with the
> above clause.
>
> However, I have noticed that as an option under the 'Log on to:' box on
> the cola computers 'coffee' now comes up as a domain option which is a
> problem. Users that are on coffee use pretty simple passwords (even after
> all the user education sessions!) and forcing them to be complex will
> probably end up with me being lynched or out of a job.
>
> Is there a way that I can tighten the trust furthur so that coffee can get
> to all the files on cola without that coffee domain being shown as an
> option on the cola machines?
>
> Currently coffee is a trial so I can build/destroy that at will. Cola is
> in production so I can't play with that too much.
>
>
> Coffee.com
> Internal domain - trusted
> 1x DC
> lots of office type workstations
>
>
> Cola.com -> Trusts coffee
> External domain
> 2x DC's
> Large collection of terminal servers
> Rouge users + hackers log on here
>
>
> Thanks for your ideas
> Murray
>

You didn't mention if you are using 2003 or 2008 but I have to assume you
are using 2003. The drop down list list will contain all domains within its
forest and the root domain from the trusted forest.

http://blogs.technet.com/ad/archive/...-dialogue.aspx

As far as passwords are concerned, think about using a third party password
managaer such as Password Policy Enforcer (Anixis) it isn't free but it is
reasonably priced. If you were using 2008 or 2008 R2 you could use the Fine
Grained Password Policy.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"MBN" <> wrote in message
news:...
> Hi everyone, here is the scenario that I am having problems with:
>
> There are two seperate forests with domains, coffee (internal) and cola
> (external). I can set cola up with a one way outgoing trust so that the
> coffee people can access all the cola files that I grant them rights to
> (which is perfect) and cola doesn't seem to be able to get out into coffee
> (so that seems to be working great). I set it up this way as I wanted a
> complete security boundry between the two networks, but still with the
> above clause.
>
> However, I have noticed that as an option under the 'Log on to:' box on
> the cola computers 'coffee' now comes up as a domain option which is a
> problem. Users that are on coffee use pretty simple passwords (even after
> all the user education sessions!) and forcing them to be complex will
> probably end up with me being lynched or out of a job.
>
> Is there a way that I can tighten the trust furthur so that coffee can get
> to all the files on cola without that coffee domain being shown as an
> option on the cola machines?
>
> Currently coffee is a trial so I can build/destroy that at will. Cola is
> in production so I can't play with that too much.
>
>
> Coffee.com
> Internal domain - trusted
> 1x DC
> lots of office type workstations
>
>
> Cola.com -> Trusts coffee
> External domain
> 2x DC's
> Large collection of terminal servers
> Rouge users + hackers log on here
>
>
> Thanks for your ideas
> Murray
>

Hi Paul,

Thank you for helping out, those articles were good.

For the moment I think I will remove the trust and just make some generic
user accounts so that the other users can access the files which can be part
of the login script.


Murray


"Paul Bergson [MVP-DS]" <> wrote in message
news:...
> You didn't mention if you are using 2003 or 2008 but I have to assume you
> are using 2003. The drop down list list will contain all domains within
> its forest and the root domain from the trusted forest.
>
> http://blogs.technet.com/ad/archive/...-dialogue.aspx
>
> As far as passwords are concerned, think about using a third party
> password managaer such as Password Policy Enforcer (Anixis) it isn't free
> but it is reasonably priced. If you were using 2008 or 2008 R2 you could
> use the Fine Grained Password Policy.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> "MBN" <> wrote in message
> news:...
>> Hi everyone, here is the scenario that I am having problems with:
>>
>> There are two seperate forests with domains, coffee (internal) and cola
>> (external). I can set cola up with a one way outgoing trust so that the
>> coffee people can access all the cola files that I grant them rights to
>> (which is perfect) and cola doesn't seem to be able to get out into
>> coffee (so that seems to be working great). I set it up this way as I
>> wanted a complete security boundry between the two networks, but still
>> with the above clause.
>>
>> However, I have noticed that as an option under the 'Log on to:' box on
>> the cola computers 'coffee' now comes up as a domain option which is a
>> problem. Users that are on coffee use pretty simple passwords (even after
>> all the user education sessions!) and forcing them to be complex will
>> probably end up with me being lynched or out of a job.
>>
>> Is there a way that I can tighten the trust furthur so that coffee can
>> get to all the files on cola without that coffee domain being shown as an
>> option on the cola machines?
>>
>> Currently coffee is a trial so I can build/destroy that at will. Cola is
>> in production so I can't play with that too much.
>>
>>
>> Coffee.com
>> Internal domain - trusted
>> 1x DC
>> lots of office type workstations
>>
>>
>> Cola.com -> Trusts coffee
>> External domain
>> 2x DC's
>> Large collection of terminal servers
>> Rouge users + hackers log on here
>>
>>
>> Thanks for your ideas
>> Murray
>>
>
>

Best Way to safeguard what you're looking for is to go into group policy into
"cola" and verify the "Log On To" permissions for the workstations. If "Log
On To" holds something like Domain Users for Cola, then the Coffee users will
not be able to log onto the stations despite having "Coffee" available in the
drop down box.

"MBN" wrote:

> Hi everyone, here is the scenario that I am having problems with:
>
> There are two seperate forests with domains, coffee (internal) and cola
> (external). I can set cola up with a one way outgoing trust so that the
> coffee people can access all the cola files that I grant them rights to
> (which is perfect) and cola doesn't seem to be able to get out into coffee
> (so that seems to be working great). I set it up this way as I wanted a
> complete security boundry between the two networks, but still with the above
> clause.
>
> However, I have noticed that as an option under the 'Log on to:' box on the
> cola computers 'coffee' now comes up as a domain option which is a problem.
> Users that are on coffee use pretty simple passwords (even after all the
> user education sessions!) and forcing them to be complex will probably end
> up with me being lynched or out of a job.
>
> Is there a way that I can tighten the trust furthur so that coffee can get
> to all the files on cola without that coffee domain being shown as an option
> on the cola machines?
>
> Currently coffee is a trial so I can build/destroy that at will. Cola is in
> production so I can't play with that too much.
>
>
> Coffee.com
> Internal domain - trusted
> 1x DC
> lots of office type workstations
>
>
> Cola.com -> Trusts coffee
> External domain
> 2x DC's
> Large collection of terminal servers
> Rouge users + hackers log on here
>
>
> Thanks for your ideas
> Murray
>
>
> .
>