Re: "join a domain" or not

Tech-Archive recommends: Fix windows errors by optimizing your registry

On 6 Sep 2005 20:16:54 -0700, "jm" <lotsothings@xxxxxxxxx> wrote:

>Chuck wrote:
>> On 6 Sep 2005 11:35:20 -0700, jmarra@xxxxxxxxx wrote:
>>
>> >I didn't see any posting protocols, so I apologize if I'm bypassing
>> >some rules.
>> >
>> >I am getting ready to set up a XPPro SP2 laptop with remote access to
>> >my company's server (Windows Server 2003). I'm not sure of the best
>> >way to accomplish this, but I do know of 2 options that seem to work
>> >well. I've tested both successfully, however, since I am a user and
>> >not an admin, I am not knowledgable enough to evaluate the pros and
>> >cons of the two approaches. Can someone help me understand the
>> >trade-offs?
>> >Opt 1) Leave the laptop as a member of a workgroup. Sign-in to machine
>> >with a local account. Use a VPN connection to establish connection to
>> >work.
>> >Opt 2) Change the laptop to be a member of the company domain. Add the
>> >domain user to the laptop. Sign in as this user (even when not
>> >connected directly to company domain). Use a VPN connection to
>> >establish connection to work.
>> >
>> >I've found the following benefits with option 2:
>> >* My login scripts ran from the server and mapped some drives for me
>> >(as opposed to initially mapping the drives manually in option 1). Not
>> >a biggy to me.
>> >* I could walk into work, plug in an ethernet cable, and be directly
>> >connected to the domain without using VPN.
>> >
>> >Other than the above, no differences have really jumped out at me.
>> >>From what I've read, it seems like I could be missing out on some
>> >group-policy domain stuff, but this is not used much (if at all) by the
>> >company (for better or worse). It should be noted that this laptop
>> >will rarely connect directly to the network (almost always in a remote
>> >location using VPN). This makes the second benefit above kind of
>> >small.
>> >
>> >I'm inclined to stick with option 1 since it seems to remove a layer of
>> >complexity, and will maybe let me interact with my home network more
>> >easily (if I ever choose to do that). Any insights? Other options I
>> >should be exploring? Reasons for going with option 2?
>> >
>> >Thanks very much.
>>
>> The differences between domain and workgroup membership will vary, according to
>> installation, and to domain (organisational) policy. Since it's a Server 2003
>> domain, I'd bet there are some domain policies which may be relevant to you,
>> even if you don't know about them. Also, what resources do you need to access?
>> Are there local accounts on each server, in addition to domain permissions, to
>> let you access everything as a workgroup member?
>>
>> Generally, when AD is implemented, local server accounts are not provided as
>> granularly as without AD. An AD infrastructure requires a lot of work to
>> develop and to maintain, and most organisations won't spend time on local access
>> maintenance, if they have AD.
>>
>> Have you asked your IT group for recommendations? If they have Server 2003 with
>> Active Directory setup, I'd bet there are various Group Policies in place which
>> make the network safer. It's probably to the benefit of your employer (and to
>> your benefit) to use AD as much as possible.

>Thanks very much for the replies.
>
>In hopes that I'll learn a little more, what if we assume the
>following:
>a) The company/IT department is fine with either option
>b) Expected usage is to simply access files on the server and maybe
>webserver (both of which I tested with originally to ensure that either
>option worked)
>
>All that said, is one option performing the network gymnastics quicker
>than the other option? That is, is logging into the domain and then
>VPN'ing moving traffic faster than a local user VPN'ing?
>
>Thanks again for your thoughts.

Assuming that you can setup a domain or workgroup client, with equivalent
authentication, accessing network resources will probably be the same.

I, personally, would use domain authentication, for convenience if nothing else.
Changing your password in a workgroup setup requires changing it on each client
and server individually. And I believe in changing my password regularly.

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.
.

Relevant Pages

  • Re: Outgoing POP3 email missing/lost/not received
    ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing POP3 email missing/lost/not received
    ... ISP's mail server instead of the domain name on the ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • RE: Problems with Permissions
    ... And SBS server is only take ... the role of an internal server. ... they are all configured to connected to internal network. ... g. Run the Configure Email and Internet Connection Wizard on SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Networking Question - VLANs on SBS 2003 Premium SP1
    ... be sure you do not enable any DHCP server in internal network. ... You do not get any issue when you connect the SBS to the old router, ... On the Connection Type page, click Broadband, and then click Next. ...
    (microsoft.public.windows.server.sbs)
  • Re: Connection from remote computer to network SQL Server
    ... There is no firewall on the W2K machine acting as the SQL server. ... I tried making the SQL machine a "trusted" on the router. ... connection works. ... To find the IP address of your computer inside the network, ...
    (microsoft.public.access.adp.sqlserver)