From: Geckoloco on 1 Dec 2008 07:18
Geckoloco a �crit :
> Hi all,
> I went to a client this week to see their system architecture and I was
> surprised with the configuration. Let me explain :
> The server is a Win2003 with AD (domain name "example.local") and all
> the users account were configured. Seems ok to me.
> But when I went on a user's computer, it wasn't declared on the domain
> but was configured on a workgroup called "example.local".
> Never seen this...
> The client did access to the server's share with her account (the same
> that was configured on the server).
> How is this possible ? I fought the clients had to be on the domain to
> access the server.
> Could someone explain me this configuration please ?
Good. This clarify the situation.
There's a lot of work to get all this rollin' back correctly.
From: Brandon McCombs on 2 Dec 2008 19:00
> Brandon McCombs a �crit :
>> Geckoloco wrote:
>>> Hi all,
>>> I went to a client this week to see their system architecture and I
>>> was surprised with the configuration. Let me explain :
>>> The server is a Win2003 with AD (domain name "example.local") and all
>>> the users account were configured. Seems ok to me.
>>> But when I went on a user's computer, it wasn't declared on the
>>> domain but was configured on a workgroup called "example.local".
>>> Never seen this...
>>> The client did access to the server's share with her account (the
>>> same that was configured on the server).
>>> How is this possible ? I fought the clients had to be on the domain
>>> to access the server.
>>> Could someone explain me this configuration please ?
>> Anyone can access a server share as long as they have the right to do
>> so. The right being defined by the ACLs on the server share. Being
>> that the clients aren't on the domain though the users will have to
>> authenticate before they access any domain resource. Sounds like both
>> you and your client need to learn a bit more about ADS, especially
>> your client since they have no idea how to setup a domain properly.
>> Access to server shares is a basic function of a domain (and workgroup
>> for that matter).
> Thanks for the answer.
I apologize for the insult.
> I knew that users must authenticate on the server to access the shares
> but I didn't know this type of configuration.
> - If the client didn't had for workgroup the same name as the domain,
> the user would have to authenticate the first time he access the share,
> right ? (as opposite, now they just open their session and it works)
As others stated in various ways, it just happened to work for the users
because their usernames and passwords for the local accounts matched the
credentials on the domain (don't know how they got that lucky). If they
were ever out of sync the user would be prompted to explicitly define
their credentials. I'm sure if this ever happened the users would be up
in arms because it can be quite annoying unless the user maps the share
to a drive letter and stores the credentials in the drive mapping
> - What's the use of naming the workgroup the same as the domain ? I
> don't get it.
There is no use. It sounds like a misguided attempt at creating a
domain. Hopefully you can teach them some things and make some money in
the process. :)
> - Are groups working for defining shares' access in this type of
> configuration ? (server alone in domain and clients in workgroup)
If I understand you correctly, yes, you can use groups for defining the
proper access to the server shares. The groups would exist in ADS if in
a domain and just local on the server the user is accessing if in a
> I already configured AD with DNS, DHCP, etc with clients declared in the
> domain but this config makes me sceptic. The AD is useless in this case,
> they could've configured the users without AD, am I correct ?
They could have but it would obviously be much more work both in the
beginning and for ongoing maintenance. The only thing really needed is
to join all the workstations to the domain and have users start
authenticating using their domain credentials. If you already have that
in place then you can define some groups and then add those groups to
the ACLs on the server shares so users can access them. Don't forget to
add the users to those new groups.