Re: administrating workgroup from domain

From: Mtek (jimlily2001_at_yahoo.com)
Date: 10/03/04 

Date: Sun, 3 Oct 2004 14:27:02 -0700

thanks! I head back in on Tues. will give it a shot after I put out the fires
that have started burning while I was gone. I will let you know how I do.

"Richard G. Harper" wrote:

> I think you've got it. Let's pick on poor Bob as an example.
>
> You have a domain account named "Bob". Bob is a normal domain user and has
> no domain administrator rights. If you go to the Workgroup computer he
> wants to connect to over the network and use the Local User Manager
> (lusrmgr.msc) to add Bob's name and password to the Administrator group on
> the local machine, he will be able to connect to it remotely and have
> Administrator rights on the Workgroup PC, but still will have no Domain
> rights other than Domain User.
>
> --
> Richard G. Harper [MVP Win9x] rgharper@email.com
> * PLEASE post all messages and replies in the newsgroups
> * for the benefit of all. Private mail is usually not replied to.
> * My website, such as it is ... http://rgharper.mvps.org/
> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
>
>
> "Mtek" <jimlily2001@yahoo.com> wrote in message
> news:1CEE3F1D-A332-47F5-92DA-B625390960AC@microsoft.com...
> > Hmm. I may be dense, if I understand what you are saying.
> >
> > I could create an local account on my domain machine with no additional
> > rights buy regular users.
> >
> > Then create an local account on the workgroup machine with admin rights
> > with
> > the same local logon name as the domain machine.
> >
> > I could then log in locally on the domain machine connect to the workgroup
> > machine and have local administrative rights on the workgroup machine but
> > not
> > any domain rights.
> >
> > Or otherwords the workgroup machine cannot access any domain assets. Which
> > is what I want anyway.
> >
> > I do not have to change any local security settings to get complete local
> > access, and the workgroup is still isolated from the domain.
> > ?
> >
> >
> > "Richard G. Harper" wrote:
> >
> >> It doesn't work that way. You can connect to a workgroup PC with an
> >> account
> >> that is an administrator on that computer and get administrator access,
> >> but
> >> just because both accounts are administrators in their separate security
> >> spaces doesn't mean that rights transfer from one to the other.
> >>
> >> --
> >> Richard G. Harper [MVP Win9x] rgharper@email.com
> >> * PLEASE post all messages and replies in the newsgroups
> >> * for the benefit of all. Private mail is usually not replied to.
> >> * My website, such as it is ... http://rgharper.mvps.org/
> >> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
> >>
> >>
> >> "Mtek" <jimlily2001@yahoo.com> wrote in message
> >> news:9C008DEA-A321-437A-92E8-DAEB29F75E66@microsoft.com...
> >> >I am not work this work this week so I can't try this. But seeing as I
> >> >have
> >> > an local admin account on the workgroup machine and a local admin
> >> > account
> >> > on
> >> > the domain machine, shouldn't I be able to log in locallally on the
> >> > domain
> >> > machine then administrer the workgroup machine?
> >> >
> >> > "Richard G. Harper" wrote:
> >> >
> >> >> An administrator on a remote PC may not be an administrator on the
> >> >> local
> >> >> PC.
> >> >> The account names, passwords and rights must match between all clients
> >> >> for
> >> >> the same rights to be granted on the client computer.
> >> >>
> >> >> --
> >> >> Richard G. Harper [MVP Win9x] rgharper@email.com
> >> >> * PLEASE post all messages and replies in the newsgroups
> >> >> * for the benefit of all. Private mail is usually not replied to.
> >> >> * My website, such as it is ... http://rgharper.mvps.org/
> >> >> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
> >> >>
> >> >>
> >> >> "Mtek" <jimlily2001@yahoo.com> wrote in message
> >> >> news:E599F916-48DC-4DF7-AA11-5DBDE429D975@microsoft.com...
> >> >> > Shouldn't there be some way of validating an administrator on the
> >> >> > remote
> >> >> > machine locally?
> >> >> >
> >> >> > "Richard G. Harper" wrote:
> >> >> >
> >> >> >> You can't. The reason you can administer a domain is because the
> >> >> >> security
> >> >> >> settings are centrally held. On a workgroup each workstation keeps
> >> >> >> its
> >> >> >> own
> >> >> >> security settings.
> >> >> >>
> >> >> >> --
> >> >> >> Richard G. Harper [MVP Win9x] rgharper@email.com
> >> >> >> * PLEASE post all messages and replies in the newsgroups
> >> >> >> * for the benefit of all. Private mail is usually not replied to.
> >> >> >> * My website, such as it is ... http://rgharper.mvps.org/
> >> >> >> * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
> >> >> >>
> >> >> >>
> >> >> >> "Mtek" <jimlily2001@yahoo.com> wrote in message
> >> >> >> news:A16B3922-0C13-4851-B53B-BCED601DDE4C@microsoft.com...
> >> >> >> > How can I set up a workgroup on our network that I can
> >> >> >> > administer(remote)
> >> >> >> > from my admin domain workstation?
> >> >> >> >
> >> >> >> > I would like to be able to have admin access as I do in the
> >> >> >> > domain.
> >> >> >> > But
> >> >> >> > still leave the workgroup/user not able to share/use domain
> >> >> >> > resources.
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Relevant Pages

  • Re: Problem with security permissions in sharepoint portal server 2003
    ... John @ X wrote: ... > 2003 Server) called WORKGROUP and this is in the DOMAIN.DOM in my intranet. ... > designer rights if the USER1 has to access the sharepoint site. ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Should a user be able to unjoin from domain?
    ... his laptop from the domain and put into his own workgroup. ... and password for someone with domain admin security group membership? ... they have those rights for, and can do whatever they like with it. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Integrated Security in a Workgroup?
    ... workgroup users, where the only thing that changed was the name of the ... I've done similar sorts of things with accounts ... This posting is provided "AS IS" with no warranties, and confers no rights. ... "Bill Cohagan" wrote in message ...
    (microsoft.public.sqlserver.security)
  • Re: security hole? any user can add a computer to the domain??
    ... this is the default in win2000 domains - you should tweak the domain policy ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > to our domain name but keeping it a workgroup. ...
    (microsoft.public.windowsxp.security_admin)
  • Ask EU: Windows XP problem
    ... insufficent rights to do so. ... rights but did install. ... The account she is using has full administrator rights. ... by starting in safe mode and doing a bit of command line ...
    (uk.media.radio.archers)