Hello, I work for a university and we are trying to accomplish the following task: We would like to begin providing student's active directory accounts. We would prefer these accounts to be in separate domains but we are open to the idea of them being within the same domain. We do not want the students to be able to logon on to a computer that belongs to a faculty or staff member, but we would like the faculty/staff members to be able to logon to any computer. I was wondering what the best way to accomplish this would be. I have experimented and found that having two separate forests would work but I don't know if there would be any potential downfalls to this in the future. Another solution we have considered is two separate domains (parent-child relationship) and using group policy to manage a user's ability to logon to a group of computers. Is this possible to do? And more importantly would this work since there are two different domains or would we have to maintain one domain to do this? We are using Windows Server 2008 for both DCs. Your help is appreciated.

Hello, you can work with single forest domain. You can separate the machines for students in an OU where you link a GPO with allow logon locally for the students and the staff and another OU with allow logon locally for the staff members only. Of course do not forget to include the domain/enterprise admins and domain administrators groups. Another option is to add the allowed machines on the user account properties for the specific user.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hi, I agree with Meinolf. Make the AD structure as easy as possible.To accomplish your mentioned task, One domain and one forest is enough.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

We would like to keep the users separate for a variety of reasons. We have found a solution by using two different forests but we don't want to do that if we don't have to. We would rather do a setup like a parent-child relationship.

Hello. I agree with previous answers: having single forest and signle domain is easier to manage; you can do everything with OU structure and GPO. And also you don't need to build another DC and manage it (so no other hardware, etc. ...). Luca Tip: Please, test it on lab first !!! | :: Faber est suae quisque fortunae ::

It will not be easier to manage due to how our email structure is set up. I can get that to work extremely easily. The best solution for us is to have a parent-child domain structure. My question is how would this be accomplished since a two-way trust is created and it cannot be modified. Right now I have a GPO linked to an OU for the the Parent Domain Computers. This GPO has the Deny Logon Locally set to deny ParentDomain\ParentDomainLocalSecurityGroup access. ParentDomainLocalSecurityGroup has ChildDomainLocalSecurityGroup as a member. All of the Child Domain users that should not have access to Parent Domain Computers are in the ChildDomainLocalSecurityGroup. There is no SecurityFiltering on the GPO. The GPO only has the Deny Logon Locally policy set.