Local accounts for domain users best practice
|
Prev: Remove WMI filter
Next: Search in WSS3.0 in SBS 2008
From: kj [SBS MVP] on 25 Feb 2010 15:08 CourtK wrote: > That is not an option. To clarify even more, this question is > regarding adding domain users to a local account on a workstation, > not the SBS server. Add domain accounts to workstation local groups. This is done by default for you for domain users -> Users, and Domain Admins -> Administrators. If you want a specific domain user in the local power users or local administrators group - do it. Don't create local user accounts. > > > "Cliff Galiher - MVP" <cgaliher(a)gmail.com> wrote in message > news:283397D5-F0A6-4FA3-AD6F-C74BC5CB06F4(a)microsoft.com... >> Don't use local accounts. There is absolutely no benefit and it only >> makes management more difficult. >> >> -Cliff >> >> >> "CourtK" <noreply(a)noreply.com> wrote in message >> news:B46E2707-AC58-4F56-9AA6-3F13DBF6AF4C(a)microsoft.com... >>> We have some clients that have the domain user in a local >>> administrator group only, no local account. What are best >>> practices for adding domain users to the workstations? In an >>> environment where the users do not need roaming profiles, is it >>> advantageous to set up local accounts for the domain user? Could >>> not having a local account cause the profile to be volatile? >>> >>> Thank you, >>> CourtK -- /kj
From: SteveM on 25 Feb 2010 15:09 CourtK wrote: > That is not an option. To clarify even more, this question is > regarding adding domain users to a local account on a workstation, > not the SBS server. I think you need to explian *why* you want to do this. The responses you've had are the expected ones - don't make domain users local admins, and don't set up local admin accounts for them (which will result in allowing users to circumvent domain restrictions on the workstation). The whole point of a domain-based network is to enforce central management and control. If you're going to allow local control, it undermines the whole secuity model and puts your network at risk. So, if you can explain what it is you want to achieve, and why, people might be able to help you more.
From: CourtK on 25 Feb 2010 17:08 I am fairly certain that Microsoft supports adding a domain user to their workstation as a local account, considering Microsoft prompts for it during the join to domain wizard and, during the process to add a local account, I can select domain users in AD. If a local administrator account is used IT doesn't have to be involved when users want to add hardware and software. I believe not adding a domain user to a local account or local group defaults to a user account, which can't do much of anything. Some of our clients want to be able to install software and we have to oblige. So, getting past whether or not to add a domain user to a workstation's local account, which method is best practice; to add a domain user to a workstation's local group or setup a workstation's local account? Could adding a domain user to a local group, and not creating a specific local account, cause local profile issues? "SteveM" wrote in message news:xn0gqtjcf575vd000(a)news.microsoft.com... > CourtK wrote: > >> That is not an option. To clarify even more, this question is >> regarding adding domain users to a local account on a workstation, >> not the SBS server. > > I think you need to explian *why* you want to do this. The responses > you've had are the expected ones - don't make domain users local > admins, and don't set up local admin accounts for them (which will > result in allowing users to circumvent domain restrictions on the > workstation). The whole point of a domain-based network is to enforce > central management and control. If you're going to allow local control, > it undermines the whole secuity model and puts your network at risk. > > So, if you can explain what it is you want to achieve, and why, people > might be able to help you more.
From: kj [SBS MVP] on 25 Feb 2010 17:49 Going to agree with SteveM here. Your nomenclature usage is just confusing. > So, getting past whether or not to add a domain user to a > workstation's local account, What are you trying to acheive? CourtK wrote: > I am fairly certain that Microsoft supports adding a domain user to > their workstation as a local account, considering Microsoft prompts > for it during the join to domain wizard and, during the process to > add a local account, I can select domain users in AD. > > If a local administrator account is used IT doesn't have to be > involved when users want to add hardware and software. I believe not > adding a domain user to a local account or local group defaults to a > user account, which can't do much of anything. Some of our clients > want to be able to install software and we have to oblige. > > So, getting past whether or not to add a domain user to a > workstation's local account, which method is best practice; to add a > domain user to a workstation's local group or setup a workstation's > local account? Could adding a domain user to a local group, and not > creating a specific local account, cause local profile issues? > > > > "SteveM" wrote in message news:xn0gqtjcf575vd000(a)news.microsoft.com... >> CourtK wrote: >> >>> That is not an option. To clarify even more, this question is >>> regarding adding domain users to a local account on a workstation, >>> not the SBS server. >> >> I think you need to explian *why* you want to do this. The responses >> you've had are the expected ones - don't make domain users local >> admins, and don't set up local admin accounts for them (which will >> result in allowing users to circumvent domain restrictions on the >> workstation). The whole point of a domain-based network is to enforce >> central management and control. If you're going to allow local >> control, it undermines the whole secuity model and puts your network >> at risk. So, if you can explain what it is you want to achieve, and why, >> people might be able to help you more. -- /kj
From: CourtK on 25 Feb 2010 17:56
Add a domain user to a workstation and allow them to install software and hardware without IT intervention. "kj [SBS MVP]" <KevinJ.SBS(a)SPAMFREE.gmail.com> wrote in message news:OOqnVzmtKHA.4492(a)TK2MSFTNGP05.phx.gbl... > Going to agree with SteveM here. Your nomenclature usage is just > confusing. > >> So, getting past whether or not to add a domain user to a >> workstation's local account, > > What are you trying to acheive? > > > > CourtK wrote: >> I am fairly certain that Microsoft supports adding a domain user to >> their workstation as a local account, considering Microsoft prompts >> for it during the join to domain wizard and, during the process to >> add a local account, I can select domain users in AD. >> >> If a local administrator account is used IT doesn't have to be >> involved when users want to add hardware and software. I believe not >> adding a domain user to a local account or local group defaults to a >> user account, which can't do much of anything. Some of our clients >> want to be able to install software and we have to oblige. >> >> So, getting past whether or not to add a domain user to a >> workstation's local account, which method is best practice; to add a >> domain user to a workstation's local group or setup a workstation's >> local account? Could adding a domain user to a local group, and not >> creating a specific local account, cause local profile issues? >> >> >> >> "SteveM" wrote in message news:xn0gqtjcf575vd000(a)news.microsoft.com... >>> CourtK wrote: >>> >>>> That is not an option. To clarify even more, this question is >>>> regarding adding domain users to a local account on a workstation, >>>> not the SBS server. >>> >>> I think you need to explian *why* you want to do this. The responses >>> you've had are the expected ones - don't make domain users local >>> admins, and don't set up local admin accounts for them (which will >>> result in allowing users to circumvent domain restrictions on the >>> workstation). The whole point of a domain-based network is to enforce >>> central management and control. If you're going to allow local >>> control, it undermines the whole secuity model and puts your network >>> at risk. So, if you can explain what it is you want to achieve, and why, >>> people might be able to help you more. > > -- > /kj > |