none
What can do the domain administrator on a account connected to the domain?

    Question

  • I'm using my personal computer for my day job and my boss wants me to use this computer to log into a domain account on our server running Windows server 2008. He wants me to create a new user account that will log on the domain. He agrees that I need to keep access to my personal files and emails on my work computer since I'm working from home. I would like to know what the domain administrator could access on my personal computer if I log through our domain.  I don't want him to get access to my personal files and network shares. I'm using Windows 8.
    Monday, October 14, 2013 7:28 PM

Answers

  • If you join your personal machine to the domain then realistically the domain admin could access anything on that machine since it's now a member of the domain. As such anything the domain admin can do on the work machines could be done on that machine. Off the top of my I head I believe there are steps you could take to prevent casual access, but as domain admin they could all be circumvented.

    How are you connecting to the server machine? Direct via the MMC from your machine, or using RDP or some other remote access method? There are plenty of ways to access a server without the connecting machine being a member of that domain, so unless you need your machine to be on the domain for other reasons I'd personally want to look at other methods of access.

    Monday, October 14, 2013 7:57 PM

All replies

  • If you join your personal machine to the domain then realistically the domain admin could access anything on that machine since it's now a member of the domain. As such anything the domain admin can do on the work machines could be done on that machine. Off the top of my I head I believe there are steps you could take to prevent casual access, but as domain admin they could all be circumvented.

    How are you connecting to the server machine? Direct via the MMC from your machine, or using RDP or some other remote access method? There are plenty of ways to access a server without the connecting machine being a member of that domain, so unless you need your machine to be on the domain for other reasons I'd personally want to look at other methods of access.

    Monday, October 14, 2013 7:57 PM
  • As Keith said, it can be set up so that you do not join your machine to the domain but simply log into your corporate environment with a set of corporate credentials.  I would think that the company would prefer it this way.  That way if anything happens to data on your personal machine, they could  say they don't have access to your machine.  If they forced you to join your machine to their domain, they could end up having liability if something happened to your system. 

    Windows Server 2012 R2 adds some new capabilities that allow the domain administrator to check for and/or manage certain things, but not have full domain access to your personal machine.

    Sounds like you need to figure out a little more about what your boss is proposing.


    .:|:.:|:. tim

    Monday, October 14, 2013 11:54 PM
  • Thank you Keith and Tim,

    After reading your answer, I managed to avoid the domain login. We installed Dropbox on our server to sync files with my computer. I guess we would have been using MMC since I know the goal was to share files easily on the server, not doing any RDP. We have a Dell SonicWall VPN connected to the server, and my boss wanted me to use the VPN connected as a service to allow the domain login.

    I just installed Windows 8.1. I see we can now use Work Folders ( http://technet.microsoft.com/en-US/windows/dn140266.aspx or http://windowsitpro.com/windows-8/it-guide-windows-81-workplace-join). I think this is a good solution to specific needs like the one I was describing here, isn't it? As I understand, I could join the work place without giving access to my personal files. However, since your answers, we set-up the solution with Dropbox and I won't ask to switch to Work Folders. 

    Thank you,

    Ken


    Windows 8/64.

    Monday, October 21, 2013 1:45 PM