Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

difference b/t "local" login and logging into a domain 1

Status
Not open for further replies.

energy4life

IS-IT--Management
Mar 10, 2002
85
US
Users who sign onto "this computer" (local computer where Win2k Pro defaults an administrator and a guest login) can still access network resources (internet, mapped drives, group policy).

This is the same as when they log onto the domain.

I find this potentially confusing because the user's desktop settings (documents, wallpaper, etc) are stored under their profile: either user.domain or user.local.

The only "requirement" per se is for Win2k and WinXP Pro users to have access to their desktops OFF THE NETWORK (need for this is rare).

Is there a precedence I should be following?

 
If they can still access the items as a local login, that means they're getting the same privaledges on said share drives, as far as I can tell. We had one person here who could see all the resources and shared drive, and her workgroup was set as the same as what the domain name is. She couldn't access the shares, however, as the computers are almost always logged in on the PDC, and her admin password wasn't one recognized by the computers and share drives on the domain. Our printer is housed on the PDC, so she had zero access to that. If their usernames and logins for local policies are the same as their PDC logins, this is probably what's causing it. Be something work checking out.
 
Hello,

I have got 1 w2k server no AD,1 win2000 workstation, 1 win XP PRO laptop and 1 win98 laptop. I have shared folders on the server that win2k and xp can access but the win 98 computer cannot access the shares.

I get the following error:-

you must supply a password to make this connection.

resource \\pdc\ipc$

password =?

when I connected to this share via win xp it asked me for a username and password - which i gave it and it was happy.

when i connect with win98 it only asks for a password and i have tried several but to no avail. I used to have all win98 machines and remember that when i created a share it would ask for a password, but on win2k it doesnt ask for a password when you create a share.

the odd thing is that a win xp or 2k box can connect to the win98 computer.

any help would be appreciated

jono


 
You have to create a account on you Win2K server that is the same username that you log on to the Win98 system with. For example, if you log on to the Win98 system with the userid test then you need to create a user called test on the 2k server. Also, if you have both passwords identical you won't even have to enter the password. Hope that helps.
 
hi friends,
Can someone say few things about the native mode in wins 2000 server, and what mode you will be in if you are not in the native mode.

Thanks
 
You will be in mixed mode. 2000 comes with two mode mixed and native. Mixed is when you still have NT domain controllers (DC) around. When you have upgraded all your DC to 2000, you can then switch to native mode.
 
let me try rephrasing - for what reason do users need to logon to "local PC"? i'm trying to determine how probable it is to use Local vs Domain access. thanks...
 
In a domain environment, there's really no need for users to have local accounts. I really think that local accounts are best for a workgroup environment. Except where you want users to logon to a particular workstation to stay productive when the network is down.

MCP 2000
 
The workstation determines which profile to use based on the presence of a security provider, in this case your domain server or the local machine.
For example you can have Joe Smith (local) and Joe Smith (network), there would be two profiles stored on the workstation. The most noticeable thing would be the desk top, color, icon placement, etc.
From your question I am guessing that each user is also added on the workstation with the same password as on the server. So when users logon, the server doesn't reject them because it finds a matching user and password.

Do you have your users added on each workstation as well as the server? - If so, you will have to decide if you want to delete the local user and just use the one from the server. The machine will work without the presence of a server - you'll get a message like - "loading locally stored profile" when logging on.

Hope this helps


If it ain't broke, it must be off.
-me
 
ciaobaby: Yes, users are added on each workstation as well as the server. This was done unbeknowngst to me (corporate IT comes in every blue moon with some ineffective super-imposed set up and other "policy"). Anyhow, these clients are now BACK on the domain, but still have Local Profiles from when they were in a workgroup setup.

My recommendaion (is/has been/and after researching a bit - will continue to be) to have only 1 local profile: administrator. Other profiles login on the domain. (server downtown is *rare*).

Thanks a bunch all!
 
Heres some tips on shares that will help. The first helps clamp down on access, the second really opens it up.
1. To make sure only those logged onto the domain can access shared resources, change the everyone group to the domain users group. You can do this with the share permissions or the NTFS permissions. Microsoft recommends being open in the share permissions and using the NTFS permissions to clamp down on access. I recommend changing it in both. By changing everyone to the domain users group, you will only allow those logged into the domain to access the resources. If you have multiple domains, you can specify which domains have access (each domain has its own domain users group, they are not the same SID even though they have the same group name) by adding the domain user groups from other domains.
2. Have you ever wondered what to do with that guest account? Activate it and share a printer and make sure you add the guest account to the share permissions. Now anyone can use that printer (reguardless if they are logged onto a domain). This is great if you want to share a printer to anyone on your network. You don't need to set up any accounts for it. Keep in mind that Win2k Pro will only allow 10 connections to the printer. That guest account will also allow access to any resources you give it permissions to in a similar fashion. It works like this. Suppose joe logs onto computer1 (as computer1/joe) and wants to access a share on computer2. Computer2 will look and see if it has an account Computer2/joe and if so, does the password match that on computer1. If not, prompt for the password for computer2/joe. If computer2 doesn't find an account computer2/joe, then it will default to computer2/guest. Is that guest account activated? If so, the share is granted if computer2/guest has rights granted in the share and NTFS.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top