Drivemap to native 2003 domain without domainregistration

[Niels]

Hello everyone,

I had a little discussion with a Cisco Tech at the office. The
discussion went about the following issue.

I said that it's, just as in a *native* Win2000 domain with allow
Anonymous registry setting will disabled, not possible to use network
shares or the exchange server from a native Win2003 domain if your PC is
not registered to the domain.
It is possible in a mixed environment, but when you switch to native the
door is closed.

However he said there is some sort of computer certificate that makes it
possible for non domain members to enter the domain. This would, off
course, be handy for VPN home workers. However it would also bring a
security issue with it.

Anyway, is there someone that can confirm one of both stories and
perhaps point me to some on line documentation of it ?

Thanks in advance,

Niels

 

[Pegasus \(MVP\)]

Hello everyone,

I had a little discussion with a Cisco Tech at the office. The
discussion went about the following issue.

I said that it's, just as in a *native* Win2000 domain with allow
Anonymous registry setting will disabled, not possible to use network
shares or the exchange server from a native Win2003 domain if your PC is
not registered to the domain.

It is possible in a mixed environment, but when you switch to native the
door is closed.

However he said there is some sort of computer certificate that makes it
possible for non domain members to enter the domain. This would, off
course, be handy for VPN home workers. However it would also bring a
security issue with it.

Anyway, is there someone that can confirm one of both stories and
perhaps point me to some on line documentation of it ?

Thanks in advance,

Niels

Access to network shares is not goverened by the domain/
workgroup model. It is governed by having suitable credentials.
If you logon to a workgroup PC under an account/password
that is also defined on the domain controller then you will be
granted access to network resources on the domain ccontroller.
You can easily verify this yourself! Even better: You can logon
to a workgroup PC under any account and issue this command:

net use Q: \\YourServer\YourShare /useromain\AccountName Password

Again you should try it for yourself!

 

[Niels]

Access to network shares is not goverened by the domain/
workgroup model. It is governed by having suitable credentials.
If you logon to a workgroup PC under an account/password
that is also defined on the domain controller then you will be
granted access to network resources on the domain ccontroller.
You can easily verify this yourself! Even better: You can logon
to a workgroup PC under any account and issue this command:

net use Q: \\YourServer\YourShare /useromain\AccountName Password

Again you should try it for yourself!

Thank you for your answer Pegasus. I am familiar with net use. I am
using it right now to map my drives within the VPN. I, however, thought
the Allow Anonymous tag (in combination with a native Win2K(3) domain)
disabled option to connect to a domain server from which you are not a
member. And so my VPN drive map would not work anymore when we switched
from our mixed W2K domain to a native W2K(3) domain, with allow
anonymous, as long as my home PC is not a domain member.

At here we have a mixed environment because of some 20th century apps
that will not work on anything higher then Win98. With these systems
removed, there is nothing against making the domain native.
But.. I guess I am wrong about the extra security it brings and so the
extra solutions we have to think of.

If I read your comments correctly you are telling me there is no extra
protection, by default and without fire walling, then credentials.

I got my W2K server and workstation cert. 6 years ago, and was/am
strongly convinced that the native domain and allow anonymous brings
more security on the point which I started this threat with. As I am no
sys admin anymore, I guess mt knowledge is a little outdated then..
Perhaps I do should bother the Admins for a sec.

Thanx again,

Niels