Local users required in domain environment?

[nevets2001uk]

Even as I type this it feels like a stupid question and something I should know but I can't seem to get it to 'click' in my mind at the moment.

We are shortly going to build an AD domain from scratch to replace an older Netware environment. Currently we use XP on the desktops and have a local user on each machine.

Once we move to AD we presumably don't need a local account for each user as when they login to their domain account a domain profile will be created on the local machine. Correct?

If the above is correct would normal practice be to remove the local user accounts and use File and Settings Transfer to copy the profile settings etc? For new PC's yould you just install the PC without a user and then let the user login to the domain?

Finally during the XP install it basically forces you to create a local user account besides the administrator. Is there a way around this?

Steve G (MCSE / MCSA:Messaging)

 

[Davetoo]

You are correct in all your assumptions.

Don't think there's a way around the user issue...just delete them after you've setup the machine.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[nevets2001uk]

Thanks.

Just another thought. That will work fine for fixed workstations. We have a number of laptop users, some of which are out for weeks at a time without logging into the domain. How do others handle this situation. I know that without being connected they can login with cached credentials but how long do those last?

Steve G (MCSE / MCSA:Messaging)

 

[Davetoo]

Forever.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[ArizonaGeek]

The only thing I'd add to Davetoo is that you'll probably want to remove all the local users except Administrator. Just change the password so no user knows it but you'll need it if something happens to the domain login. What we do for our users is make them a local administrator on their machines with their AD login. Vista and Server 2008 fix a few things so domain users don't need to be an admin to do things like add a printer, where as XP you need to be a local admin to add one.

Cached credentials last quite a while, by default Windows 2003 SP1 I think it tombstones users after 60 days of no login. So if a user doesnt login to the network you'd have to add them back to the domain. But that wouldn't stop them from logging in. The other caveat to that is if you have a password policy, say your passwords are set to expire every 30 days, if the person cant connect to the domain they wouldn't be able to change their password.

It really is all on how you set up your domain and the policies.

Cheers
Rob

The answer is always "PEBKAC!

 

[nevets2001uk]

Thanks. It's starting to make sense now.

As for making the users local admins I guess this would be done by a policy? We may have an issue doing that since there is a corprate policy preventing it. Presumably they can still access shared printers on a print server and even have them added via a script without local admin rights?

Our password policy would be 90 days I believe so we should be ok. Just to clarify if it were 30 days, after the password espires would they no longer even be able to login to the local PC using the cached credentials?

Steve G (MCSE / MCSA:Messaging)

 

[Davetoo]

No, if they're not connected to the network they can logon to their PC's forever. There's nothing to prevent this without access to the domain.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[ArizonaGeek]

Actually Dave, I believe if the password policy is pushed out when they log on to their PC or laptop that policy would carry with the cached credentials. If the password expires it will lock them out of their machine. They'd need to connect back to the network to reset the password.

Had a sales guy traveling and decided he'd wait to change his password till he got back well it expired. Had to give him local admin password to get on, get to VPN then change his password.

I think you still need to be a local admin to even push out your printers by a script. There might be a way to set up a VBS script to use an admin credentials to add the printer but its been a long time since I have had to do it.

Cheers
Rob

The answer is always "PEBKAC!

 

[Davetoo]

Yes, you are correct. I forgot that I'd set in my AD that a specific groups password never expired to get around our GPO, which is 90 days expiration.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[nevets2001uk]

Thanks for all of the help guys. I will use of all of it to help with the design and implementation plan. I very much appreciate the input.

Cheers,
Steve

Steve G (MCSE / MCSA:Messaging)

 

[Kalshane]

Steve,

I'm not sure about scripting, but you are correct that users don't need to be administrators to install shared printers from a server. All our non-IT users are setup as Power Users on the local machines and they can get printers from our print servers and install local printers without a problem. I'm not sure about members of the normal Users group, though. I've never actually been in an environment where there was an account that was only in the local Users group on a machine.

 

[nevets2001uk]

Thanks. I'm pretty certain we'll be giving all users Power User rights on the local PC so we should be ok then. Out of interest what is the easiest way to do this? Is it via Group Policy?

Steve G (MCSE / MCSA:Messaging)

 

[ArizonaGeek]

In 2000 and 2003 pushing out printers isn't available as a policy, you'd have to push them out with a script. I'd suggest Markdmac's VBS scripts which can be found here this guy is a VBS genius and I am using his scripts now for my printers. They work perfect.

In Server 2008 you'll be able to push them out via GPO. But I think we have another few months for that to be released.

Cheers
Rob

The answer is always "PEBKAC!