Re: Logon difference in Workgroup and domain

So what is the difference to access network for a local user and a user
in AD?

Herb Martin wrote:
<yuebing.wu@xxxxxxxxx> wrote in message
news:1166090957.307451.210180@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
all document and comments focus on central and discrete administration.
I want to ask some detail.

Q1:
in a workgroup, create two users with the same user name(U) and the
same password separately on two PCs(PC1 and PC2).
Create a share folder on PC2 and make it only accessfull to the
user(U). User(U) on PC1 can access the share folder on PC2.

I can not understand WHY user on PC1 can access PC2's resource as PC2's
local user. the two users on different PC are definitely two users!

Reason: Simply because Microsoft RIGGED it this way to make
sharing resources easier when the accounts are really different
(as you understand correctly.)

The across-PC access is unreasonable, because if two PCs are
administrated by two local admins, there could be probability that the
two admins create users with same name and password on their PC,

No, the chances of a password being the same should be virtually
NIL -- if users use even moderately decent passwords.

But to the extent they do not, this is part of the reason that
workgroups are less secure.

it is
not reasonable to allow their resource to be access by a same-name user
on other computer.

Don't give same name, and make sure each user uses a good
password selection strategy. (Enforce)

Or switch to a domain where it is easier to deal with the whole thing.

Q2

Local administrator VS domain administrator

Who has more power?

By default: Domain Admins since they are part of the Administrator
group on EVER machine, including servers and DCs.

But on the local machine, one machine at a time, the power is the same.

What is difference between them when configuring a domain-controlled
COMPUTER or service?

Nothing on a per computer basis. The difference is that the
domain admins have this power on every machine, while the
local admin is just that, local to a single machine.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

.

Relevant Pages

  • Re: Logon difference in Workgroup and domain
    ... in a workgroup, create two users with the same user nameand the ... two admins create users with same name and password on their PC, ... Local administrator VS domain administrator ... Domain Admins since they are part of the Administrator ...
    (microsoft.public.windows.server.active_directory)
  • Re: Multiple Domain Administrators with different Roles
    ... If they are domain admins, ... which people becomes administrator and have to live with the consequence that they can do everything. ... with creating files/folders and basically viewing files. ... Basically I only want one of the Admins ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security permissions bug or inheritant permissions??
    ... We had four domain admins for the 8 domains in our forest. ... four guys who were Enterprise Admins. ... management and security folks don't fool themselves with a perception of false ... that doesn't mean that everyone should be domain> "gods" - they should heirarchal structure that enforces layered security> levels - even among domain admins. ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain Admin .vs Adminstrator Account
    ... THE Administrator account is the initial or default ... > However, the domain admins group is automatically added to the local> administrators group on all domain members, which means that> the domain admins account has full administrative control over all domain> member machines. ... The administrator account on the other hand, isn't as> powerful in this way (just being an administrator of the domain doesn't mean> you can install software on domain members); the administrator account is> much more powerful, as Cary already stated, from a domain administrative> stand point. ...
    (microsoft.public.win2000.active_directory)
  • Re: Login as local admin
    ... schema admins, enterprise admins and the other groups mentioned, but the ... So if i basically ensure that my domain administrator account is a member ... The article does not reference "local" administrator (as far as I ... As i am trying to install SBS SP1, ...
    (microsoft.public.windows.server.sbs)