Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Authenticate to a domain share from a workgroup computer 2

Status
Not open for further replies.
goombawaho

goombawaho

MIS
Oct 7, 2007
6,597
US
I'm trying to recreate the universe after a server meltdown at a client. For some reason, they didn't have their laptops added to the domain.

1. Any reason you can think of why a traveling laptop would NOT be added to the domain while the desktops in the office WERE added.

2. How can I authenticate to a domain share from the laptop WITHOUT joining the domain.

I get this login prompt and can't get past it:

Connecting to 192.168.0.2 (IP address of server and a login box with the following in it:

LPXPJL2\first.last (where the first item is the computer name and second is the first and last name of the user on the workgroup computer.

How can I authenticate?? We have create a user for each person in the company. It just doesn't want to accept when I try the following

\DomainName\user name on domain
password

user name on domain
password
 
Sort by date Sort by votes
To access a share on the domain, use domain\username (get rid of the leading backslash)
 
Upvote 0 Downvote
That doesn't work, even though the user and password have been confirmed on the Domain Controller. I guess it doesn't matter though because I can do a \\ServerName and access the shares without having to authenticate from the Workgroup PC.
Doesn't that seem strange???

I have no idea why they haven't joined these laptops to the domain, yet they still want to have server connectivity for file copying/storage.

Any ideas why NOT to join the domain on the laptops?? Maybe to avoid having any complications due to Cached Domain Login and wanting to work locally when disconnected from the server. I'm wondering if I should join the laptops to the domain just like the desktops or what the reason was that they did not do this.

I'm just so confused by what they were trying to do here and there is no documentation from anyone who worked in IT previously. It's like a black hole.

 
Upvote 0 Downvote
All machines should be domain joined, usually. Among the many reasons why are just the problem you're having. Having machines joined to the domain allows for centralized administration.

The problem is that now, if you join the machine to the domain, it will create a new profile on the machine. You can copy the old profile onto the new one, if you'd like. It's just a few extra steps.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
I realize the copying of the profile problem, but I'm just trying to figure out why in the universe they would have not joined those machines to the domain a while ago.

They only have 7 PCs, so management of PCs or Group Policy is not an issue.
 
Upvote 0 Downvote
I meant to ask, is that Cached Domain Logon for disconnected computers RELIABLE enough that they will always be able to login to their laptop when disconnected???

I don't want them to be out in the field and be unable to get to their computer and documents because of a "login failed" or "domain not available".

How many times can you login before it won't let you in or is there not a default limit???
 
Upvote 0 Downvote
Yep it's reliable, there is no limit AFAIK. The one thing you need to remember is that by default domain joined machines passwords are changed automatically every 30 days so at least once every 30 days the laptop would need to log into the domain to keep the password in sync.

If a machine was 'off' the domain for longer than the 30 days you would have to reset the computer account in AD and/or drop the machine out of the domain and rejoin again.

Paul
VCP4

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

Difficult takes a day, impossible takes a week
 
Upvote 0 Downvote
Thanks for that bit of information. I have bitten the bullet and added them all to the domain, migrated profiles, created shares, established permissions and put mappings on the PCs.

When you say "you would have to reset the computer account in AD", what do you mean precisely?? Changing the password or what??

I fear these people might put a laptop in corner for a while - especially the "floating" laptop.

Is there a way to change that 30 days to a higher number???
 
Upvote 0 Downvote
This will explain it better than I can;


Looks like I gave you a little duff info as well as I read through that article, so apologies for that. The password change is driven by the client and as such does not actually expire, it is the secure channel that would need resetting and then the machine would be able to log into the domain without any problems and the client would then initiate the password change. This process is not something that is controlled by an adminstrator in any way, it is an automatic process built into Windows.

Hopefully the article will clear things up for you on this front. If not post back with any questions..

Paul
VCP4

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

Difficult takes a day, impossible takes a week
 
Upvote 0 Downvote
To access a share from a computer not joined to the domain you could run NET USE X: "\\server\share" password /user:domain\username /persistent:yes

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP
 
Upvote 0 Downvote
Yeah - I'm still confused after reading that. What is the difference between "machine account" and "domain account" in terms of passwords. I have other users at another company with a Server 2003 and PCs on a domain and they never HAVE to change their password and are never prompted.

The reason I care is that I have scheduled tasks set up using domain accounts/passwords on the domain PCs and I don't want the users to HAVE to change their passwords and thus disrupt the scheduled tasks.
 
Upvote 0 Downvote
It is not something that you as a user user have to worry about, machine passwords are handled internally by Windows. As an administrator you need to be aware that they exist but you don't have to get involved in them as again it is handled internally by Windows and therefore is an automatic process.

It has nothing to do with user account passwords.

In AD you have user accounts and computer/machine accounts (whatever term you wish to use, I typically use the term machine account). Machines passwords are changed by default every 30 days by an internal Windows process.

I only mentioned this initially so you would be aware of this and what can happen if the machine does not log onto the domain for more than 30 days.





Paul
VCP4

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

Difficult takes a day, impossible takes a week
 
Upvote 0 Downvote
Use gpmc or open gpedit.msc create a new GPO go here and you can disable or enable the feature.

Computerconfiguration\Windows Settings\Security Settings\Local Settings\Security Options\Domain Member disable machine account password changes

or set the age limit
Computerconfiguration\Windows Settings\Security Settings\Local Settings\Security Options\Domain Member Maximum machine account password age






MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP
 
Upvote 0 Downvote
Upvote 0 Downvote
So, basically, if I do nothing in terms of GP or editing the registry, the actual domain password won't require changing unless my password policy demands it and the machine password won't cause me any issues either.

I just want these people to percolate along with the same password and not HAVE to change it. I know, not good security.
 
Upvote 0 Downvote
Thanks people. This customer has suffered enough with their server failure. Didn't want to hear about them not being able to login to their laptops in a week or two while they are off-site. They would probably lynch me.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
638
goombawaho
goombawaho
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
382
DTGMI
DTGMI
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
197
ADB100
ADB100
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
474
DrB0b
DrB0b
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
390
microsGuy16
microsGuy16

Part and Inventory Search

Sponsor

Back
Top