Domain and Workgroup problem

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am consulting on a network that originally was setup as an active directory
domain. The person who administered it added a workgroup. Users are using two
logons--both as administrator (not as AN administrator but as THE
administrator). When they are logged as as the administrator they have access
to the domain. When I look at the setup you see the domain and the workgroup
on the same level. When you try to access the domain server and data from a
workstation that logs on to the domain with other than administrator, the
message is "the server is not accessable. the list of servers for this
workgroup is not
currently available". I have tried adding a user and a workstation. Both show
up in Active directory. I get one logon. I have even added the new user
directly to the security on a network folder rather than in a group. Still
the same. When you look at the Entire Network you see both the domain name
and the workgroup at equal levels (the workgroup is not part of the domain?).
Any idea of how to get it so you can log on with one logon, as individuals
and access the
network and ditch the workgroup? TIA for any help.

Sue
 
Not sure I really followed most of this, but:

1. If the workstation is joined to the domain; and you are logging onto the
domain (Not the Local Machine); then the domain user account you use to
logon should have whatever rights to shared folders are provided through a
combination of Share and NTFS permissions. Check to make sure that the user
account is not a member of any groups for which permissions to the Share are
specifically denied.

2. On the machine providing shared resources, go to Administrative
Tools/Local Security Policy/Local Policies/User Rights Assignment. Make
sure that the user is either listed or a member of a group which has the
Access this computer from the network right. Make sure that the user is not
listed or a member of a group which has the Deny access to this computer
from the network right. Also, check Group Policy to see if contrary
settings are being applied.

Doug Sherman
MCSE, MCSA, MCP+I, MVP
 
1. The only reason a workgroup exists is because there are machines not
joined to the domain. Make sure they are all joined to the domain and the
workgroup no longer exists.

2. All users should log in with domain credentials

3. The individual machines should *not* have *any* local user accounts
beyond the built in Local Administrator. If users have their own accounts
on the local machines they almost always use the same password they do on
the domain,..which means I could grab the Hashes off the local machines and
crack them and would have many of the passwords on the domain. This is
particularly dangerous with latops that can easily be stolen.

4. If the users require admin level access to their local machines,...then
add their Domain Account to the Local Administrators Group on the local
machine. Do not create local accounts for them. Do not give them any
passwords to any domain level administrator accounts.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
 
Sounds like the users are logging into their local machines. Are the
machines joined to the domain? The workgroup is probably set up with the
local stations administrator account having the same password as the domain
administrator account - 'cause that's the only way they could figure out how
to make it work. The local user accounts don't exist at the domain level, so
they are refused. The proper way to do this is to join the computers to the
domain, create domain accounts for the users, have the users log into the
domain. If they need local administrator priveleges, you can make their
domain user accounts local (not domain) administrators so they can install
software, spyware, viruses, etc on their computers (no, I'm not bitter, just
realistic :-)). After creating their user accounts in the domain and logging
them on once at their workstations, you can use the profile copy feature of
Windows 2000 and XP to get their old desktops, documents, etc back to the
way it was. Most users don't even know anything changed.

....kurt
 
Back
Top