member of both Workgroup and Domain?

Sign in to vote

Hello,

if you don't have a server which is configured as domain controller and your machine is added to the domain it is a workgroup machine. You can check the following way, open System properties, Network Identification tab, Properties button, here you can see the computer name and if it is member of a domain or workgroup.

Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Thursday, July 8, 2010 12:29 PM

0

Sign in to vote

Well, I believe I wrote in my original post:
"it is again part of local workgroup", which is default Windows XP setup

Or more explicitly in System Properties --> Computer Name ---> Workgroup: WORKGROUP

I also wrote that there is DC on domain to which my computer accesses the resources of domain. My computer is attributed dynamic IP-address and configurations from the DHCP server of domain (IP-s of dns servers, wins servers, connection specific dns suffix, etc.)

I had never asked how to check configurations (that was rhetoric question)

More specifically, if I am loggin under account of local (machine) user then my computer is part of workgrup (accessible from and accessing to outside).
(But if I login with domain account, then my computer is part of domain, though it is out of context of my questions)

MY QUESTIONS about local group computer (once again) ARE:
1)
What is definition of workgroup? The definitions of workgroup, which I can find,do not fit into this situation
2)
In Microsoft Windows Network I could browse computers and their resources external to my workgroup as well as share resources on mine.
I secured my workgroup computer by disabling NetBIOS over TCP/IP.

This made the computers on my workgroup also inaccessible.

How to configure (secure) the workgroup to be inaccessible from outside of my local workgroup (through NetBT) but be able to communicate between computers of my workgroup?

Thursday, July 8, 2010 1:46 PM

0

Sign in to vote

There is no way I know of to do what you want through the NetBt settings. There is virtually no security in a workgroup setup, because there is no way to enforce it. Each machine is an equal partner in a peer to peer setup. A domain has a centralized user database and access to domain resources can be controlled. Non-domain members can access domain resources if they have credentials which are acceptabe. That means that the credentials have been verified by this domain or another domain which the domain trusts.

Workgroups and Netbios in Windows go back a long way, before domains and before Windows use of TCP/IP. It originally woked with Netbeui, a Microsoft proprietary protocol which was not routable, and LAN broadcasts. As the Internet became more popular, Microsoft moved to using TCP/IP and Netbios over TCP/IP was introduced and Netbeui phased out. Domains were inroduced with NT server (using Netbios )and expanded in Windows 2000 with Active Directory and DNS.

A post-NT domain does not require Netbios over TCP/IP. It is based on DNS. Netbios over TCP/IP is included for backward compatibility with legacy machines and/or applications.

Bill

Friday, July 9, 2010 2:09 AM

1

Sign in to vote

Well, I believe I wrote in my original post:
"it is again part of local workgroup", which is default Windows XP setup

Or more explicitly in System Properties --> Computer Name ---> Workgroup: WORKGROUP

I also wrote that there is DC on domain to which my computer accesses the resources of domain. My computer is attributed dynamic IP-address and configurations from the DHCP server of domain (IP-s of dns servers, wins servers, connection specific dns suffix, etc.)

I had never asked how to check configurations (that was rhetoric question)

More specifically, if I am loggin under account of local (machine) user then my computer is part of workgrup (accessible from and accessing to outside).
(But if I login with domain account, then my computer is part of domain, though it is out of context of my questions)

MY QUESTIONS about local group computer (once again) ARE:
1)
What is definition of workgroup? The definitions of workgroup, which I can find,do not fit into this situation
2)
In Microsoft Windows Network I could browse computers and their resources external to my workgroup as well as share resources on mine.
I secured my workgroup computer by disabling NetBIOS over TCP/IP.

This made the computers on my workgroup also inaccessible.
How to configure (secure) the workgroup to be inaccessible from outside of my local workgroup (through NetBT) but be able to communicate between computers of my workgroup?

1. A Workgroup is a group of computers with no central security or configurations. Each machine in a workgroup has it's own security settings, account settings and it's own set of users list. It's basically a "peer to peer" setup, each machine being a "peer." To access resources (shared folders or printers), one must know a valid user name a password on the machine you are trying to use it's resources.

A domain offers centralized security, an accounts user base and trust between the local machine and domain controllers. The local users accounts on a local machine are not used for logon, I mean they can be, but they are restricted by domain users to use them and as long as they don't have local admin rights, they can only logon using their domain account. To access resources on other machines, you need to be provided access and permissions based on your domain user account, not the local accounts. It offers centralized management of all domain members.

Also, the trust between the local machine and domain is established when you "join" a domain. There are a number of things that occur during the join process. In the Unix field, we call it "binding." A trust channel is developed between the machine and domain controllers for secure communication after it's joined.

In addition, NONE of the "HOME" versions of any of the operating systems have the capability to join a domain. You must have one of the Pro, Enterprise, Business or Ultimate versions to join a domain.

2. Yep, that's basically what disabling NetBIOS over TCP/IP (NetBT) does. You can still access based on IP in a UNC, however the Browser service is based on NetBIOS, therefore if disabled, the Browser service has no way to find out what is out on the wire. To access by IP, you must know the IP address of the machine you are trying to connect to, as well as a shared resource's name.

Here's more info on the differences:

Workgroup vs. Domain: What's the difference?
http://everyjoe.com/technology/57-2/

Difference Between Workgroup and Domain
http://www.differencebetween.net/technology/difference-between-workgroup-and-domain/

I hope that helps. I also suggest taking some classes in Windows networking. It will answer many of these questions for you, as well as providing you with numerous resources understanding some of the intracies of Windows networking and how Active Directory works.

Ace

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Friday, July 9, 2010 5:24 AM

0

Sign in to vote

"In addition, NONE of the "HOME" versions of any of the operating systems have the capability to join a domain"

Don't you fell that this phrase contradicts to everything that you have written before?
It sounds like domain serves to non-home-edition workgroup computers also

Nobody uses domains from/through local users or machine accounts anyway, even from Pro editions. The domain accounts are used.

The same applies to "Home Editions", one cannot join "Home Editions" to domain but can use domain resources and management from domain account.

Also, this phrase is correct only in conjunction with the phrase "by default" because Home computers can join domain after DC computer's registry editing.

"1. A Workgroup is a group of computers with no central security or configuration"

Cannot domain controllers provide security or configuration to workgoup computers?
through domain policies or organization units?

Friday, July 9, 2010 8:21 AM

0

Sign in to vote

"In addition, NONE of the "HOME" versions of any of the operating systems have the capability to join a domain"

Don't you fell that this phrase contradicts to everything that you have written before?
It sounds like domain serves to non-home-edition workgroup computers also

Nobody uses domains from/through local users or machine accounts anyway, even from Pro editions. The domain accounts are used.

The same applies to "Home Editions", one cannot join "Home Editions" to domain but can use domain resources and management from domain account.

Also, this phrase is correct only in conjunction with the phrase "by default" because Home computers can join domain after DC computer's registry editing.

"1. A Workgroup is a group of computers with no central security or configuration"

Cannot domain controllers provide security or configuration to workgoup computers?
through domain policies or organization units?

"In addition, NONE of the "HOME" versions of any of the operating systems have the capability to join a domain"

Don't you fell that this phrase contradicts to everything that you have written before?

No,I don't. Simply stated, you CANNOT join a "HOME" version to a domain. Sure, you can use a Home version to access domain resources using domain credentials. However, in many secure or properly administered and controlled installations, we sniff out non-domain members and rogue machines and deny traffic at the switch or by MAC address, and with 3rd party DHCP servers, we deny their ability to get an IP. It depends on what you're trying to accomplish.

You said: Cannot domain controllers provide security or configuration to workgoup computers?
through domain policies or organization units?

No. In order to administer a machine through the domain tools, it must be joined. You can possibly work around it by exporting an ADM file and import it into a local GP on a workstation. Then again, we try not to work around operating system versions that do not work in a domain environment (at the home or in a corporate environment) and simply install the proper OS version that will work.

You said: Also, this phrase is correct only in conjunction with the phrase "by default" because Home computers can join domain after DC computer's registry editing.

What registry entries are you referring to on a DC that will allow you to join a Home version to a domain? Post a link explaining this and how to do this, please, so it will benefit everyone reading this thread.

What I can say is the bits in the Home version OS dicates whether you can join it or not. I wouldn't even begin to understand why you would want to circumvent this feature or functionality. It's against the EULA anyway. It's like altering the programming of your vehicle's ECM to gain additional performance against the manufacturer's recommendations or warranty rules.

And why would you want to do that? I would hate to look at this discussion as means to circumvent Microsoft's operating systems.

Curious, what are you trying to accomplish? Is there a design model you are trying to implement and having difficulty with that we can be of specific assistance?

Ace

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Friday, July 9, 2010 3:10 PM

0

Sign in to vote

Oops, this topic is being deviated.
I have no slightest interest in "Home Edition"s,
except from the pov of understanding how things work

"Post a link explaining this and how to do this, please, so it will benefit everyone reading this thread."

http://www.tomshardware.com/forum/3034-63-login-domain-windows-home-premium
and there are many other links on internet

And why would you want to do that?

There are many answers:
1)
to understand things
1a)
preparing now to 70-291
(or to prepare to 70-291 understanding things)
2)
to work with both AD and workgroup on the same isolated and restricted in resources (home) Windows XP
in order to program against/in both workgroup and AD
(running ADAM - Active Directory Application Mode on Windows XP)

Friday, July 9, 2010 4:31 PM

0

Sign in to vote

Oops, this topic is being deviated.
I have not a slightest interest in "Home Edition"s,
only from the pov of understanding how things work

"Post a link explaining this and how to do this, please, so it will benefit everyone reading this thread."

http://www.tomshardware.com/forum/3034-63-login-domain-windows-home-premium
and there are many other links on internet

And why would you want to do that?

There are many answers:
1)
to understand things
1a)
preparing now to 70-291
2)
to work with both AD and workgroup on the same isolated and restricted in resources (home) Windows XP
in order to program against them

1. You should have said so. You came off pretty strong arguing against the Pro versions and was adamant about using the Home editions in a domain environment, so I wasn't sure what your intentions were. We are all here just trying to help everyone with questions, problems or just having discussions about ideas, designs or thoughts. I was just trying to provide information to help you understand the differences between a Workgroup and Domain, based on your original question, as I've already provided links that I was hoping would help you understand the differences.

You've also asked, "Is my computer a member of domain? or of Workgroup? or both?" By asking that question, I assume you weren't sure. Meinolf replied how to find that out, but from your response, it didn't appear you were satisfied with the answer to that question. Meinolf's response was actually one way to tell on a workstation or member server, by looking at the Computer Properties. A domain admin would know if it is joined or not if they had joined it, or simply looking in ADUC on the domain controller or using the RSAT or ADUC in the adminpak tools.

1a. I'm happy to hear you are pursuing certification. It's a long, but rewarding road that you will be happy with in the end. There are many resources to study for the exam. YOu can start with Microsoft's Certification site for 70-291 at: http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-291&locale=en-us#tab1

The one thing I can recommend is to attend courses to help you prepare for the exams. I'm an MCT and teach these courses. The students find them beneficial and have a high pass rate after attending the courses. They learn about the material, the operating systems, as well as pass the exams, so they get an all around view of everything.

2. That registry entry is not force a Home version to "join" a domain, rather changing it's NTLM authentication/negotiation settings so it complies with AD security in order to connect to AD resources. That's all. Home versions out of the box are not setup for this for obvious reasons. The NTLM authentication level settings changes can also be done in the computer's Local Sec Policy.

There are other security settings that can be implemented to thwart Home versions and other rogue OS use in a domain, as I outlined earlier. It depends on the complexity and need of an installation and how much time, effort and money they want to throw at it to accomplish this, depending on their security requirements and LOB (Line of Business).

If you have any other questions regarding Home, Workgroups, Domains, or the exams, please feel free to ask.

Ace

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Friday, July 9, 2010 5:08 PM

0

Sign in to vote

Leaving Home Editions out of any following conversation...
and inside of context of Windows XP Pro SP3 as workstation in Windows 2003 environment.

Does your reply imply that without joining computers to domain,
computers-members-of-workgroup cannot be managed centrally?
For ex., by WINS server? LDAP/DNS naming services (servers)?

As a matter of fact, I was more interested
(and asked) about the centralized mgmt of users - members of workgroup (domain),
than computers.
Cannot users management be centralized in workgroup?
Cannot users of computers not joined to domain be centrally managed by Domain Controller (Active Directory) management tools,
remotely and centrally?

PS
This is not only theoretical curiosity.
As a developer, I am frequently given domain account without access to local machine administration
and I'd like to know what I am loosing/gaining when I login as local machine administrator
having machine as member of workgroup...

I do not hve access to production servers, domain (network) adminsitration, etc.
This is just ubiquitous situation in big companies.
For developing, I deploy server and services in workgroup
(logging in as machine administrator and having PC as member of workgroup)
locally but I still need domain resources

Sunday, July 11, 2010 4:09 AM

1

Sign in to vote

Leaving Home Editions out of any following conversation...
and inside of context of Windows XP Pro SP3 as workstation in Windows 2003 environment.

Does your reply imply that without joining computers to domain,
computers-members-of-workgroup cannot be managed centrally?
For ex., by WINS server? LDAP/DNS naming services (servers)?

As a matter of fact, I was more interested
(and asked) about the centralized mgmt of users - members of workgroup (domain),
than computers.
Cannot users management be centralized in workgroup?
Cannot users of computers not joined to domain be centrally managed by Domain Controller (Active Directory) management tools,
remotely and centrally?

PS
This is not only theoretical curiosity.
As a developer, I am frequently given domain account without access to local machine administration
and I'd like to know what I am loosing/gaining when I login as local machine administrator
having machine as member of workgroup...

I do not hve access to production servers, domain (network) adminsitration, etc.
This is just ubiquitous situation in big companies.
For developing, I deploy server and services in workgroup
(logging in as machine administrator and having PC as member of workgroup)
locally but I still need domain resources

Computers that are not joined cannot be managed centrally. Offering Infrastructure services such as WINS, DNS, etc, through DHCP does not constitute central management, rather it offers centralized and consistent NIC configuration.

An LDAP service is actually Active Directory. Joining a machine to a domain is joining (or binding) to Active Directory. So a non-joined machine is not part of AD, however if a user on a non-joined machine has access credentials to an LDAP service, whether it be AD, Unix NIS, etc, can access the LDAP service. Joining a machine, however, is much more than that, as previously discussed.

Users cannot be centrally managed in a workgroup. There is no common denominator to make this happen. Each machine has their worn security database (user and group accounts). AD is a common security database of sorts (if you want to look at it that way in your terminology) that can be centrally managed, allowing or denying access to resources, etc. This is not possible with a workgroup. Computers must be joined, and users must be created in AD so the users can logon to the domain using their joined computers. No other way around this.

As a developer being provided AD access, depending on your level provided, you have access into AD's LDAP services for your tasks. What you are losing or gaining really depends on what you are doing with those credentials or if you have a need to access other resources, such ss Exchange, and any other directory enabled application. If you have AD credentials, and they have Exchange running, and your user account they've created for you in AD is mailbox enabled, then you can access your mailbox from your non-joined machine using Outlook, as long as you know all the settings, or simply using OWA via a web browser.

In any large company security is tight anr rightfully so. Anytime the adminstrators or security department provides access, they try to minimize involvment or the access level in order to protect their own systems. Matter of fact, and it's a known statistic, that a majority of security threats are from within their own user base compared to outside threats. Users with a small amount of knowledge can cause severe damage unknowingly if accidentally provided a higher level of access than required when accessing resources. Therefore when the administrators or security department provide a certain level of access to their resources when a request is made for access, they carefully weigh out the request and what they can provide based on needs and requirements for the user to perform their role or function in the organization.

I hope that answers your questions, and hopefully may even be beneficial to others reading this thread in the forum.

Ace

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Sunday, July 11, 2010 7:51 AM

0

Sign in to vote

I do not have ability to practically stage and verify/answer the following questions,
which I'd appreciate to be answered here.

Having Windows XP SP3 Pro computers (WXP) in internal network as members of the same workgroup,
I (am going to) deploy Windows Server 2003 as domain controller in the same local network.

Is it possible:
1)
to join WXP computers to domain leaving them as members of workgroup?
2)
Would WXP, without joining domain, be able, (from local machine Administrator session)
2a)
"Run As" programs under identity of domain user?
2b)
open secondary logon session under domain user
(simultaneously with concurrent local user session)?

Monday, July 12, 2010 4:06 PM

1

Sign in to vote

1. No

2a. No

2b. No

Workgroups are next to worthless.

Create the Domain,...join it.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"vgv8" <=?utf-8?B?dmd2OA==?=> wrote in message news:d466998b-a1da-4bf2-ac48-7de623be88f7...

I do not have ability to practically stage and verify/answer the following questions,
which I'd appreciate to be answered here.

Having Windows XP SP3 Pro computers (WXP) in internal network as members of the same workgroup,
I (am going to) deploy Windows Server 2003 as domain controller in the same local network.

Is it possible:
1)
to join WXP computers to domain leaving them as members of workgroup?
2)
Would WXP, without joining domain, be able, (from local machine Administrator session)
2a)
"Run As" programs under identity of domain user?
2b)
open secondary logon session under domain user
(simultaneously with concurrent local user session)?

Monday, July 12, 2010 4:23 PM

0

Sign in to vote

My home PC with Windows XP Pro SP3 is member of workgroup and, as DHCP client, automatically receives configurations of NIC properties upon connecting to ISP among which is "Connection-specific DNS Suffix: my_isp_name.local".

What is it for?

And ping -a <my received ip>
gives the name

<WXPComputerNameI gave>.mshome.net

What is this suffix mshome.net for and why is it different from "my_isp_name.local"?

Monday, July 12, 2010 7:13 PM

1

Sign in to vote

The DNS Suffix is basically an assumption. When a machine name is used that is not Fully Qualified,...the DNS Suffix is automatically appended to the name to create a Fully Qualified name (FQDN). Since no domain exists, the suffix is "false",...the "assumption" is wrong,...and the FQDN created by it, at best, means nothing,...at worst, causes confusion in both humans and machines.

It is going to get whatever DNS Suffix has been set within the DHCP Scope that it uses. The DNS Suffix from your ISP's domain means your ISP has configured their DNS Suffix into thier DHCP Server (which they should not have done and should have left it blank). That DNS Suffix is meaningless to you, and it does nothing useful.

You should be using a NAT Device (Linksys, D-Link, Netgear, whatever) in your home that isolates your home network from the "outside" and the ISP. These NAT Devices are really just cheap low-dollar "firewalls". Then you use the DHCP from the NAT Device and not the ISP. The NAT Device will use the ISP's DHCP only for itself on the external side and it has no bearing on the LAN.

If you create a Domain.(and hence a Domain Controller) then you will also run the DHCP Service on the Domain Controller (and *disable* DHCP on the NAT Device) so that you have an Active Directory "aware" DHCP Service. Then your DNS and *only* DNS,..will be the DNS Service runnning on the Domain Controller. Then the Domain Controller (aka DNS Server) will either use the ISP's DNS Server as a Forwarder or it can be left to default to using "Root Hints". All machines on the LAN will need to use the Domain Controller for DNS and not anything else. You can confgure the DNS Suffix on the Domain's DNS Server, but it is not really needed,...the machines will already "know who they are" regardless. At this point the wrokgroup will just completely "not exist" anymore.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"vgv8" <=?utf-8?B?dmd2OA==?=> wrote in message news:3c56206c-2daa-4579-aef6-696609abac5e...

My home PC with Windows XP Pro SP3 is member of workgroup and, as DHCP client, automatically receives configurations of NIC properties upon connecting to ISP among which is "Connection-specific DNS Suffix: my_isp_name.local".

What is it for?

And ping -a <my received ip>
gives the name

<WXPComputerNameI gave>.mshome.net

What is this suffix mshome.net for and why is it different from "my_isp_name.local"?

Monday, July 12, 2010 8:16 PM

0

Sign in to vote

An LDAP service is actually Active Directory.

Might be, AD is LDAP but LDAP is not always AD?

So a non-joined machine is not part of AD

Well, non-joined-to-domain machines cannot be part of a domain.
But AD can exist without domain
(for ex., through ADAM).
And non-joined-to-domain computers can make part of AD

AD is a common security database

Well, it is correct only for domain AD database.

And what about UNIX machines?

Tuesday, July 13, 2010 2:42 PM

0

Sign in to vote

An LDAP service is actually Active Directory.

Might be, AD is LDAP but LDAP is not always AD?

So a non-joined machine is not part of AD

Well, non-joined-to-domain machines cannot be part of a domain.
But AD can exist without domain
(for ex., through ADAM).
And non-joined-to-domain computers can make part of AD

AD is a common security database
Well, it is correct only for domain AD database.

And what about UNIX machines?

AD is one LDAP product available on the market. There are others, such as Novell's NDS and Unix' NIS.

For a little background to help understand the differences, LDAP is an industry standard protocol to search objects in an X.500 Directory Service, which is comprised of X.400 entries. An X.500 Directory Service assumes any object part of the "tree" will be trusted. Originally proposed in 1984 by the IETF, the X.500 service would be searched by DAP (Dir Access Protocol), however DAP looked up all aspects of an object. Later in 1985 it was updated to use LDAP, which is Lightweight Directory Access Protocol, that allows searching a subset of attributes, and once found, one can find the rest of the attributes of the object.

The first company to use the new X.500 Directory Service with LDAP was Banyon Vines. Their product was called Street Talk. Others came out with their own versions, such as Sun, Novell, Microsoft, etc. The common goal was that whomever offered an LDAP based product, it was searchable by a common protocol, LDAP, no matter who the vendor.

A non-joined machine is not part of AD but can still access resources on a limited basis as long as one has appropriate credentials.

As for Unix machines, including Linux and Mac OSx (since they are Unix based), they can be "binded" to AD. The bind process is similar to joining a Windows machine to AD. It will participate with Kerberos authentication and trust channels.

I hope that helped and answered your questions.

Ace

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Tuesday, July 13, 2010 3:25 PM

0

Sign in to vote

I hope that helped and answered your questions.

Which of my questions were you answering?

I was interested in clarifying the issue of flexible workgroup computer management (from client workstations) and you are continuously deviating all my question to one-way rigid domain management
to which owners of client machines do not have any access.

Rigid one-way centralized management simply does not make any sense in many situations of environment with huge amount of computers.

For ex.,
1)
my ISP provides internet connections to hundreds of thousands of home computers.

Do their owners want their computers and accounts to be managed, i.e. restricted by ISP domain group policies, etc., etc. to which they do not have any access?
No!
It is the other way around!

Many clients form independent communities grouped by houses, condominiums, communities or regions and need to form a part of global ISP environment as well as flexibly administer their own "workgroups".
In other words, there is a need of multiple management hierarchies, from some angles centralized, from others - decentralized.

2)
Developers need to fully and flexibly administer their development environments without centrally induced restrictions to which they do not have any access while using domain policies.

Tuesday, July 13, 2010 7:21 PM

1

Sign in to vote

I hope that helped and answered your questions.

Which of my questions were you answering?

I was interested in clarifying the issue of decentralized workgroup computer management (from client workstations) and you are continuously deviating all my question to domain management
to which owners of client machines do not have any access.

Centralized management simply does not make any sense in many situations of environment with huge amount of computers.

For ex.,
1)
my ISP provides internet connections to hundreds of thousands of home computers.

Do their owners want their computers and accounts to be managed, i.e. restricted by ISP domain group policies, etc., etc. to which they do not have any access?
No!
It is the other way around!

2)
Developers need to fully and flexibly administer their development environments without centrally induced restrictions to which they do not have any access while using domain policies.

Hi vgv8,

I honestly thought I answered your questions regarding the differences between domain and workgroup machines including their limitations, options, etc, through discussion, explanations, and examples.

As for your latest questions:

1)
my ISP provides internet connections to hundreds of thousands of home computers.

Do their owners want their computers and accounts to be managed, i.e. restricted by ISP domain group policies, etc., etc. to which they do not have any access?
No!
It is the other way around!

That's correct, and neither would I. ISPs manage traffic and content (web based, protocol based, or app service based, such as possibly restricting torrent and P2P traffic, etc) to their customers, as much as some customers have complained to the FCC about this. This type of management is much different than domain management and not related whatsover to difference between domains and workgroups. I mean you can also have services in place in a corporate environment that restricts this kind of service, too. Domain management includes security policies regarding account logon, attempts at logon, logon restriction times, access to resources (such as shares, servers, printers, etc), authentication protocols (NTLM, NTLMv2, Kerberos, etc), centralized Windows firewall settings, logon scripts to control what's being mapped or other factors, etc. Matter of fact, with GPOs, you can manage domain machines and user account specifics with over 800 to 1000 different settings, the number of which dictated by the version of the operating system AD is running on.

So as you see, there are quite a bit of differences.

2)
Developers need to fully and flexibly administer their development environments without centrally induced restrictions to which they do not have any access while using domain policies.

I can understand that totally. I've heard that complaint numerous times in large corporate environments. I've seen in many environments where the developers are restricted to what they can do. The reason behind it is corporate network security policies. Many companies, depending on their LOB, may have local, government or other restrictions and guidelines they must follow and adhere to, otherwise face penalties. Therefore they simply restrict what anyone can do, including the dev team, as much to their dismay. They may provide you full control of the local machine, or simply allow you to develop on your own either member server (joined to the domain with possible restrictions), or stand alone servers that have no domain policy restrictions, but still may have internet traffic restrictions.

I hope I was able to provide you the answers you were looking for.

Ace

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Tuesday, July 13, 2010 7:50 PM

1

Sign in to vote

For point 1

Well this doesn't really apply to the discussion at hand. ISP customers using privately own machines within private residences cannot be compared to business users (including developers) using compny own equipment on a company owned LAN on company owned property.

For point 2

A properly designed Domain system in a properly designed corporate structure will not infringe on deveoplers and will at the same time protect the business and their equipment from things that the developers do (whether accidental or malicious). Creating a development "sandbox" does not justify or encourage the desire for a Workgroup nor does it negate or discourage the desire or need for a Domain. In addition, an Applicatrion developed in a Workgroup may often fail in a Domain,...I have seen over and over and over though the years I've been doing this where Applications are developed only from the "user's perspective" that funtion horribly is a real life business environment using a Domain. This may be because the developer did not develop within a Domain environment,...or has no idea how Domains function and what they require,...or perhaps just negligent and did care to consider it.

As soon as I see an App require "mapped drive letters" and Local Administrator Privledges to function properly on the LAN the Red Flags start waving.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Rigid one-way centralized management simply does not make any sense in many situations of environment with huge amount of computers.

For ex.,
1)
my ISP provides internet connections to hundreds of thousands of home computers.

Do their owners want their computers and accounts to be managed, i.e. restricted by ISP domain group policies, etc., etc. to which they do not have any access?
No!
It is the other way around!

Many clients form independent communities grouped by houses, condominiums, communities or regions and need to form a part of global ISP environment as well as flexibly administer their own "workgroups".
In other words, there is a need of multiple management hierarchies, from some angles centralized, from others - decentralized.

2)
Developers need to fully and flexibly administer their development environments without centrally induced restrictions to which they do not have any access while using domain policies.

Tuesday, July 13, 2010 9:42 PM

0

Sign in to vote

Considering the necessity to locally manage computer which is possible only
under local machine administrator account and having no access to domain administration,
What are the options to combine local machine administrator with a domain user?

Is it possible to join computer to domain being logged-in as local administrator (and preserving full control over machine)?
to add domain user to local administrators group?
to start secondary logon as local administrator (or runas programs from local administrator) being logged-in as (from) domain user session?

Wednesday, July 14, 2010 8:50 PM

0

Sign in to vote

Logging in as the Local Administrator gives you full control over that particular individual machine. It does not matter if it is on a Domain or not, although some Machine Level Group Policies may still take effect but any "User Level" configurations in the Group Policy would probably be ignored

To join a machine log in with a Doimain Level Administrator Priviledged Account (doesn't have to be the Default Built-in Adminsitrator Account). This is required because changes occur on the Domain itself during the "join" and a local account is not recognized by the Domain and hence those change cannot happen properly. After a machine is joined,...the local accounts (including the administrator account) still exist and can still be used to operate the machine just as it was when it was in the workgroup, but there is no real solid benefit in doing so that I can think of.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

"vgv8" <=?utf-8?B?dmd2OA==?=> wrote in message news:e37334f8-ee58-477a-8f56-b4581d4d30ab...

Considering the necessity to locally manage computer which is possible only
under local machine administrator account and having no access to domain administration,
What are the options to combine local machine administrator with a domain user?

Is it possible to join computer to domain being logged-in as local administrator (and preserving full control over machine)?
to add domain user to local administrators group?
to start secondary logon as local administrator (or runas programs from local administrator) being logged-in as (from) domain user session?

Wednesday, July 14, 2010 9:50 PM

0

Sign in to vote

Considering the necessity to locally manage computer which is possible only
under local machine administrator account and having no access to domain administration,
What are the options to combine local machine administrator with a domain user?

Is it possible to join computer to domain being logged-in as local administrator (and preserving full control over machine)?
to add domain user to local administrators group?
to start secondary logon as local administrator (or runas programs from local administrator) being logged-in as (from) domain user session?

In addition to, and to complement Phillip's responses:

What are the options to combine local machine administrator with a domain user?

The Domain Administrator, or a Domain User that has the ability (rights) to the local machine, can add a non-Domain Admin (a plain-Jane Domain User) account to the Local Administrators Group of the machine. This will provide the Domain User account full control of the local machine when they log on using their Domain User account. This will give them the same ability to preform tasks on the local machine just as if the local administrator account were logged in. However, it still does not give them any administrative ability in the domain.

Is it possible to join computer to domain being logged-in as local administrator (and preserving full control over machine)?

Understanding your question, I believe you are asking if you can join a machine to the domain using the local administrator account. The answer to that is no. However, when you join a machine to the domain, it will prompt you for the Domain Administrator account's credentials or a Domain Non-Admin Account that has been granted the ability by the Domain Administrator to join machines to a domain.

to add domain user to local administrators group?

This ability can only be performed by someone with Domain Administrative permissions and rights to the local machine. It doesn't have to be the Domain Admin. It can be a Domain User Account that has been granted the ability to perform this action by the Domain Admin (such as the Domain ADmin has already added the Domain User account to the local Adminstrators Group). FYI, the Domain Administrator can also configure a GPO (Group Policy Object) so specific Domain User accounts can be automatically added to the Local Administrators group of a machine. This is the Restrictive Groups settings in a GPO.

to start secondary logon as local administrator (or runas programs from local administrator) being logged-in as (from) domain user session?

Anyone can actually opt to use the RunAs feature, however, the user attempting to use this feature must provide either local administrative credentials. DOmain Admiistrator credentials, or a Domain User that has been added to the Local Admiistrators Group.

I hope I understood your questions and was able to answer them.

Ace

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Wednesday, July 14, 2010 11:19 PM

0

Sign in to vote

The Domain Administrator , or a Domain User that has the ability (rights) to the local machine

I could not understand how somebody else has the rights to my local (non-joined to domain) machine account?
I believed that domain administrators cannot login as local administrators even to joined to domain Windows XP Pro machines(?)

I am asking about the situation when a a person as Local Administrator is logging in to non-joined-to-domain machine (part of workgroup) and as domain user to the machine joined to domain.

Might be I am asking stupid things but there is absolutely no point in answering to (reformulated, re-interpreted, distorted or misunderstood) questions I had never asked.

Thursday, July 15, 2010 9:49 AM

1

Sign in to vote

The Domain Administrator , or a Domain User that has the ability (rights) to the local machine

I could not understand how somebody else has the rights to my local (non-joined to domain) machine account?
I believed that domain administrators cannot login as local administrators even to joined to domain Windows XP Pro machines(?)

I am asking about the situation when a a person as Local Administrator is logging in to non-joined-to-domain machine (part of workgroup) and as domain user to the machine joined to domain.

Might be I am asking stupid things but there is absolutely no point in answering to (reformulated, re-interpreted, distorted or misunderstood) questions I had never asked.

Sorry I misunderstood your questions in your last post. My replies were in the context of administering a joined machine. So no, a domain admin cannot administer a non-joined machine unless he/she were to know the local admin password.

No, your questions are not stupid. They are questions from someone trying to learn. I tried to directly reply to each of your questions in each of your posts. Since some of your questions were multifaceted, they required additional background to properly respond and explain. Some of the questions asked may also have multiple scenarios, which I also tried my best to address. The answers were not meant to confuse anyone.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Edited by Ace Fekay [MCT] Thursday, July 15, 2010 12:27 PM first sentence's syntax.

Thursday, July 15, 2010 12:26 PM

1

Sign in to vote

I could not understand how somebody else has the rights to my local (non-joined to domain) machine account?
I believed that domain administrators cannot login as local administrators even to joined to domain Windows XP Pro machines(?)

Nobody...ever...claimed...that. Nobody ever directly and interactively "access" a "machine account" anyway,...the statement does not even make sense.

I am asking about the situation when a a person as Local Administrator is logging in to non-joined-to-domain machine (part of workgroup) and as domain user to the machine joined to domain.

That is not possible,...and does not even make sense as a statement. There is no "AND" between the two parts. You cannot log into anything anywhere with two different accounts at the same for any reason using any method (workgroup -vs- domain is irrelevant)

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Thursday, July 15, 2010 2:01 PM

0

Sign in to vote

I am asking about the situation when a a person as Local Administrator is logging in to non-joined-to-domain machine (part of workgroup) and as domain user to the machine joined to domain.

I could not imagine that someone could have possibly understood my phrase so literally because I did mean local interactive logging into machine (Windows XP) as the process of booting into machine.
Nobody boots into the same Windows XP simultaneously with two (or more) accounts.

Sorry, it should have been OR instead of and.

Even more, at the last my employment I was forced just to format a disk and re-install Windows from the scratch from my own private Windows setup DVD. The company's (employer's) DVD was written with choices for Windows setup that simply did not permit to install Windows with full administrator access to local machine in any way, low-level hacking or their high-level use of menus, the setup files were already hard-coded with dependencies on corporative domain and restrictions.

Again
The situation is about the same physical machine but having multi-boot (multiple) Windows XP Pro and multiple virtual machines (inside one Windows XP, or many). Local administrator boots into one Windows XP. Domain user boots into another. Though both may run concurrently as virtual machines on the same physical hardware, machine (or on different ones, since I had both the laptop and the desktop, and access to computers of my colleagues with the same necessities).

Though, the main (default) situation is that resources are poor and I needed to either boot in as local administrator OR as domain user.
And this was the main inconvenience.

I believe that the necessity of multiple concurrent contexts are not rare.
But the engagement of domain approach for small semi-independent units (dependent from some angles and objectives and independent fron others) inside big corporative domain environment is expensive and plain inconvenient.

Thursday, July 15, 2010 6:18 PM

0

Sign in to vote

It would not be hard for you to imagin that if you have spent the time here we have and have and dealt with all the odd things we have dealt with. We have learned to take what is written literally because that is all you can do no matter how odd it might seem. If someone says "and",...we take it as "and", and no matter how odd a story seemed if taken literally, the "literal" is still most often exactly the truth of what happened because of all the wierd things that people actually really do. Then combine that with the hact that a huge number of posters don't use English as their first language in their day to day lives,...the literal is all we can do,...because guessing at what they "might have meant" by what they "didn't-quite-say" only makes it worse.

Anyway,..my time here is free to you, but it isn't free to me,...I've spent enought time on this thread and it isn't really going anywhere,...so I have to move on to other things. Of course feel free to chat as long as you want with the others in the thread.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"vgv8" <=?utf-8?B?dmd2OA==?=> wrote in message news:81784ecd-23a8-47b8-97d6-9785031535d5...

I am asking about the situation when a a person as Local Administrator is logging in to non-joined-to-domain machine (part of workgroup) and as domain user to the machine joined to domain.

I could not imagine that someone could have possibly understood my phrase so literally because I did mean local interactive logging into machine (Windows XP) as the process of booting into machine.
Nobody boots into the same Windows XP simultaneously with two (or more) accounts.

Sorry, it should have been OR instead of and.

Thursday, July 15, 2010 8:36 PM

0

Sign in to vote

Errata:
It was neither AND nor OR,
I should have used XOR (exclusive OR).

I deeply regret about my senseless wording slips that were the only feed and interest to maintian any discussion in this topic

Friday, July 16, 2010 5:58 AM

0

Sign in to vote

I moved to discuss the same issues to
"Confused over file access" continued

Tuesday, July 27, 2010 9:14 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

member of both Workgroup and Domain?

General discussion

All replies