Re: Logon difference in Workgroup and domain

Q1: This is how LANMAN has worked forever. Prior to the domain concept, the only way to share resources was with a synced userid and password. The chances of synced IDs and passwords should be very low if people are following good security practices.

Q2: A domain administrator has administrator rights across all machines in a domain unless someone has removed the domain administrator group from the administrators group of a specific machine. However, due to features in the OS, the domain admins could always re-add themselves to the administrators group of any machine they are kicked out of that is in the domain. If you have two people on a DC, one is an admin and the other is a domain admin, they effectively have the same power on the DC. But the person who was an admin on a DC wouldn't necessarily have rights on any member machines, though they could take it anytime they wanted simply by adding themselves to the domain admins group.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


yuebing.wu@xxxxxxxxx wrote:
all document and comments focus on central and discrete administration.
I want to ask some detail.

Q1:
in a workgroup, create two users with the same user name(U) and the
same password separately on two PCs(PC1 and PC2).
Create a share folder on PC2 and make it only accessfull to the
user(U).
User(U) on PC1 can access the share folder on PC2.

I can not understand WHY user on PC1 can access PC2's resource as PC2's
local user.
the two users on different PC are definitely two users!
The across-PC access is unreasonable, because if two PCs are
administrated by two local admins, there could be probability that the
two admins create users with same name and password on their PC, it is
not reasonable to allow their resource to be access by a same-name user
on other computer.

Q2

Local administrator VS domain administrator

Who has more power?
What is difference between them when configuring a domain-controlled
COMPUTER or service?

.

Relevant Pages

  • Re: Login as local admin
    ... schema admins, enterprise admins and the other groups mentioned, but the ... So if i basically ensure that my domain administrator account is a member ... The article does not reference "local" administrator (as far as I ... As i am trying to install SBS SP1, ...
    (microsoft.public.windows.server.sbs)
  • Re: Administrative tasks - getting resources to book non working t
    ... No. Administrative projects are used for tracking nonworking time and its ... To modify the working time for a resource, you must have administrator ... the Enterprise Resource Pool (Tools - Enterprise Options - Open Enterprise ...
    (microsoft.public.project.pro_and_server)
  • Re: Windows Service - Event Log
    ... I didn't say the Administrator account. ... Administrators group on the local machine." ... I didn't advocate using a member of the Administrator's group; ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Login as local admin
    ... So if i basically ensure that my domain administrator account is a member of ... the schema admins, and enterprise admins, and login using these credentials, ... The article does not reference "local" administrator (as far as I ... If you choose to use an account other than the built-in administrator ...
    (microsoft.public.windows.server.sbs)
  • Re: Upgrade SBS2000 to SBS2003
    ... Specify an account with Enterprise Administrator prrivileges to the ... The domain Administrator account should be a member of the Enterprise ... Enterprise Admins" error when you run the Windows Small Business ...
    (microsoft.public.backoffice.smallbiz2000)