Re: Logon difference in Workgroup and domain
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Fri, 15 Dec 2006 07:22:18 -0600
"Benny" <wuyuebing@xxxxxxxxx> wrote in message
news:1166149622.447584.44050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
So what is the difference to access network for a local user and a user
in AD?
In general, a local "computer specific" user cannot
access (most) resources on the net and cannot be
given such access DIRECTLY (Guest access might
apply but Guest is in fact a domain account.)
Domain Users can be granted (or selectively denied)
access to domain resources.
In general, "Access to domain resources requires
domain authentication -- either directly or indirectly
through a trusted domain."
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Herb Martin wrote:
<yuebing.wu@xxxxxxxxx> wrote in message
news:1166090957.307451.210180@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
all document and comments focus on central and discrete administration.
I want to ask some detail.
Q1:
in a workgroup, create two users with the same user name(U) and the
same password separately on two PCs(PC1 and PC2).
Create a share folder on PC2 and make it only accessfull to the
user(U). User(U) on PC1 can access the share folder on PC2.
I can not understand WHY user on PC1 can access PC2's resource as PC2's
local user. the two users on different PC are definitely two users!
Reason: Simply because Microsoft RIGGED it this way to make
sharing resources easier when the accounts are really different
(as you understand correctly.)
The across-PC access is unreasonable, because if two PCs are
administrated by two local admins, there could be probability that the
two admins create users with same name and password on their PC,
No, the chances of a password being the same should be virtually
NIL -- if users use even moderately decent passwords.
But to the extent they do not, this is part of the reason that
workgroups are less secure.
it is
not reasonable to allow their resource to be access by a same-name user
on other computer.
Don't give same name, and make sure each user uses a good
password selection strategy. (Enforce)
Or switch to a domain where it is easier to deal with the whole thing.
Q2
Local administrator VS domain administrator
Who has more power?
By default: Domain Admins since they are part of the Administrator
group on EVER machine, including servers and DCs.
But on the local machine, one machine at a time, the power is the same.
What is difference between them when configuring a domain-controlled
COMPUTER or service?
Nothing on a per computer basis. The difference is that the
domain admins have this power on every machine, while the
local admin is just that, local to a single machine.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Follow-Ups:
- Re: Logon difference in Workgroup and domain
- From: Joe Richards [MVP]
- Re: Logon difference in Workgroup and domain
- References:
- Logon difference in Workgroup and domain
- From: yuebing . wu
- Re: Logon difference in Workgroup and domain
- From: Herb Martin
- Re: Logon difference in Workgroup and domain
- From: Benny
- Logon difference in Workgroup and domain
- Prev by Date: Re: Single Forest Multiple Domains
- Next by Date: Re: Laptops in domain
- Previous by thread: Re: Logon difference in Workgroup and domain
- Next by thread: Re: Logon difference in Workgroup and domain
- Index(es):
Relevant Pages
|
