Re: Local Accounts

Hi Cliff,

Inline as well


"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message news:Rd6dnXEH-rNmJArVnZ2dnUVZ_q3inZ2d@xxxxxxxxxxxxxx
You seem a bit confused, so I'll try to answer your questions...but most of that I've done inline. Feel free to ask for more detail if I didn't clarify enough. Good luck!

-Cliff


"-Draino-" <guest@xxxxxxxxxxx> wrote in message news:Ot7V$jn9IHA.2496@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,

I have 3 PC's that at one time were all in the same workgroup. No server. The users all accessed the PC's with local usernames and passwords. All 3 users had accounts on all 3 computers. All 3 users could log into any computer with their username and password.

You didn't specify which OS these three PC's are running.

All client machines are XPSP3


Now that a SBS2003 server has been added, all 3 users log on to the network. All 3 users still use the same usernames and passwords that they had when the computers were in a workgroup.

Were the COMPUTERS (not users) joined to SBS2003 using the connectcomputer wizard? If not, you should do that. The wizard migrates users as part of the process.

No I did not use the wizard to add computers to the domain. I saw no point in that as the client apps on SBS2003 are all outdated. IE6 is not used anymore. We don't use Outlook and there was not much else I really cared to push to the client machines.


Because the users still have local computer accounts, the users are still allowed to log into the computers locally. When I go to the user accounts I see all 3 users with accounts on the "computer name"

Users should NOT have local accounts anymore. Domain accounts can log in locally (aka in front of the machine) as well, if the computer was properly joined to the domain (see above.)

Well maybe true but when the client machines were not in a domain we had sofware installed (obviously local) that we did not want to reinstall when on the domain. One of my client machines was using Quickbooks 2008 before the domain existed and that user did not want to mess with any possibility of a bad install or a corrupted Quickbook file. This user has years of data and felt that we should just leave well enough alone.

How do I make local login available from the domain? I assume using GP?


If I delete the user and add them back and put there account with the "domain name" they can no longer access the computer locally.

You don't add their account back at all. Domain accounts are created (and listed) on the server. They won't appear under "local users" on the local machine, because the user is no longer local. Trying to add a local user, even using the domain name, is only confusing the system. Rule of thumb: Domain accounts are added on the domain controller (SBS2003.) Local accounts are added locally. Domain users do not need local accounts. At all. Ever.

Ok that being said, I want to be able to access all the client machines locally. I may want certain users to access their own machines locally. What do I do, if anything to the user accounts locally?



It seems as though I can do this for the Administrator account as well.
The local admin account can be useful for some system changes, but should not be removed. 95% of your admin work should also be done using the domain admin account.

Agreed


My questions are, would I be able to delete the admin account and add it back using the "domain name" and if so how would anyone access that computer locally?

No. Windows still requires a local admin account. You'd have problems deleting it. You can rename it for security reasons if you so desire. You also do not "add" the domain account locally, for reasons described above.

Is it as simple as just adding a new user and making them an administrator on the "computer name"???

The reason I haven't tried this is because when you add a user the box says "user name" and "domain name" there is no option for "computer name" and if I get an error that say's "domain name does not exist" I wouldn't know how to access that computer locally.

I believe all of this is moot. You are trying to add/adjust local accounts when this simply isn't necessary. As long as the computer is joined to the domain, the local computer will connect to, and authenticate from, the SBS server. No accounts need to be created or accessed from the local machine. Everything is done over the wire.

Again, I may want to access the clients locally. I found that if I remove my "computer name" account locally and add myself back as "username" - "domain name" I myself cannot access the machines locally.


The other thing is what would happen if I just leave the computers the way they are and I made a local user and administrator, would that user be an administrator on that machine locally and a regular user on the domain?...I assume so :)

No. If you create a local user then they won't be a regular user on the domain. They won't be *any* user on the domain. This would really make administrating SBS (and the clients!) more difficult. Get your accounts in order now and you'll be much happier down the road.

Another question is after reading a response from Lanwench, I made those users have access with "remote desktop" access on the local machine but as a member of the domain. Would they not have remote access through RWW if I made them admins locally as well?

If domain users have local admin rights, they will have access to RWW.

How do I do that???

What happens if I change an existing user, (that is only a regular user on the domain), on the local machine, and give them admin rights to the domain? Does their account get updated on the domain to administrator?

You cannot do this on a local machine. You don't have access to the "domain admins" group on a local client (unless you've installed ADUC, which I assume you haven't) so this scenario cannot exist. You could only do so from the SBS server. And if you did, they would, in fact, have domain admin rights (a very very very bad thing!)

AGREED!!!

What are the pro and cons of users having access to their local machine?
The pros are that users can install their own software. Makes less work for the sysadmin when they need new "stuff."

The cons are that users can install their own software. Makes more work for the sysadmin when they screw up adding new "stuff." (viruses, etc.)

Yep, the devil is in the details.



Never thought there was so much to know about simple user accounts!!!!!!


Randy



--






For The Best Web Hosting Money Can Buy Go To:
http://www.serverpoint.com/1028.html


.

Relevant Pages

  • Re: Anti-Virus Software Suggestions
    ... >>> with admin authority. ... All of my photo editing apps, as well as scanning programs work under ... except on the machine where I use different accounts. ... One of my machines operates unattended and in an environment where any ...
    (rec.photo.digital)
  • Re: Domains for UNIX
    ... >> If you are not familiar with Windows Domains, ... >> all machines, users, and other resources within the domain as a group. ... >> Thus, if you are a domain admin, you will have admin rights on any ... > You can share accounts and other information within the domain (like ...
    (comp.unix.solaris)
  • Re: Invisible Admin account
    ... if they are admin they can undo anything you ... or specific accounts log in with smart ... Short of hacking your machines up with your own rootkit-like ... Adminstrator account that another user with administrator access could not ...
    (microsoft.public.win2000.security)
  • Re: Domains for UNIX
    ... > Windows domains, not internet domains. ... > all machines, users, and other resources within the domain as a group. ... > Thus, if you are a domain admin, you will have admin rights on any machine ... You can share accounts and other information within the domain (like ...
    (comp.unix.solaris)
  • Re: Crypt questions
    ... For the right account it can be decrypted if both accounts have ... If the machines are not both ... If I encrypt the harddrives on ... will a theif be able to decrypt the data? ...
    (microsoft.public.windowsxp.security_admin)