Multiple MS Domains and Shares...

Clowned · 22 Sep 2008 at 11:27

Morning all, hope someone can shine some light on this.. here goes..

I work at a relatively new Post 16 Centre, where staff from 2 local secondary schools come to teach. They all have their own laptops assigned to their schools own domains.

When they come to teach here they have access to the network, and have their own Accounts to Remote into a TS to do certain things, mainly electronic registers.

a lot of them are wanting software/files/videos on the network now. The problem is, that when a laptop not on this domain trys to access a share they cant.
It works if they are logged onto their laptop locally, but its not really feasible all staff having a local logon for their laptops.

Does anyone know a way around this? Is it there group policy preventing computers from foreign domains accessing my servers shares? ... Ive no idea what i should be looking at to get round it.
(Think that makes sense..)
Any help appreciated. Thanks

IAmATeaf · 22 Sep 2008 at 12:48

Probably not the optimum way to do things but can't you put a trust in between the 2 seperate domains?

danielanthony · 22 Sep 2008 at 13:14

Depends what permissions you have on the shares.

You could create a Trust between the two domains but you would then have to add the Global Group these users belong to from the other domain into a Domain Local Group in your domain which has permissions to access those shares. In order to add these users you would also need an account from the other domain in order to browse it and add the Global Groups. Plus you would then have to consider which of your DC's should be Global Catalog servers, DNS replication etc.

Simpler would be just to allow anonymous read-only access to these shares, but this is obviously a security risk which will have to be assessed.

BoomAM · 23 Sep 2008 at 08:15

As said above, allowing everyone access would sort it out, but is a security risk.

Another way to do it is to set their usernames, or plonk them in a group, that can read/write the share, then map that share to their laptop for them, meaning that on connect it'll ask for a username/password, which they'll enter as:
domain\username
password

That should work too.

.

Clowned · 23 Sep 2008 at 18:21

Thanks for the replies peeps

danielanthony said:
Simpler would be just to allow anonymous read-only access to these shares, but this is obviously a security risk which will have to be assessed.

This anonymous share would work great for a temporary solution, given there's no confidential stuff on there, video clips, lesson plans etc would be fine on it, and i could pass a script out for all the users to map to it.

BoomAM said:
Another way to do it is to set their usernames, or plonk them in a group, that can read/write the share, then map that share to their laptop for them, meaning that on connect it'll ask for a username/password, which they'll enter as:
domain\username
password

All the staff do have accounts, as they need to remote into a server so they can do e-registrations!
But when they try access shares with their usernames, it doesnt work... my guess is that its something to do with the fact their laptop's arent part of my domain?? Ill try remember to post the error i get tomorrow when doing this.

As for a Trust Relationship, it sounds a little complicated, are the benefits of it worthwhile you rekon? i could set up a couple of servers in VMware and test it out first hand, or is it not worthwhile?

Thanks again

jgreen726 · 23 Sep 2008 at 19:44

BoomAM said:
As said above, allowing everyone access would sort it out, but is a security risk.

Another way to do it is to set their usernames, or plonk them in a group, that can read/write the share, then map that share to their laptop for them, meaning that on connect it'll ask for a username/password, which they'll enter as:
domain\username
password

That should work too. .

Good plan

Can everyone on your domain currently access these shares or is it only certain members of staff\pupils?

BoomAM · 23 Sep 2008 at 22:24

Clowned said:
But when they try access shares with their usernames, it doesnt work... my guess is that its something to do with the fact their laptop's arent part of my domain?? Ill try remember to post the error i get tomorrow when doing this.

Specify the domain then.
In the username box, put in "domainname\username" and then the password as usual.
So for example:
Username: mydomainname\myusername
Password: passwordthattheuserset.

It does work, as thats how i sometimes setup shares for laptops at work.

The trust relationship thing might be a bit of a rigmarol to setup for what it achieves.

Another way of doing it is setting a workstation aside as a standalone, a few shares with relevent local accounts for access on that, then access that the same as i listed previously, just without the domain\ bit.

jgreen726 said:
Good plan

Can everyone on your domain currently access these shares or is it only certain members of staff\pupils?

The shares can only be accessed by people who are listed in its share permissions (either by username, or, as part of a group), and can only see/read/write/execute if they have the same permissions on the folder/files.