Local accounts for domain users best practice
|
Prev: Remove WMI filter
Next: Search in WSS3.0 in SBS 2008
From: CourtK on 2 Mar 2010 17:54 I apologize for making this such an annoying issue and I agree that there must be a "fumbling" of terms and understanding here but I would really like to get my intentions resolved. Joe, you inspired an idea to get my answer, which was to use the SBS connect wizard and see how the domain users are added. After using the SBS "connect" wizard, the domain user was added to the "User Accounts" menu, not just a local group. So, if I were to do this manually (not using the SBS connect wizard) I would do it this way: Click Start \ Control Panel \ User Accounts \ User Accounts \ Manage User Accounts \ Add \ type domain user name \ type domain \ select group \ Finish. Going with what you say how "Joe" <joe(a)jretrading.com> wrote in message news:uKuV3ottKHA.4636(a)TK2MSFTNGP06.phx.gbl... > CourtK wrote: >> I am fairly certain that Microsoft supports adding a domain user to their >> workstation as a local account, considering Microsoft prompts for it >> during the join to domain wizard and, during the process to add a local >> account, I can select domain users in AD. >> > > We seem to be fumbling towards understanding here, but this is one point > that should be clarified: when the connectcomputer wizard asks you to > designate users, it is *not* creating local accounts. > > It is changing some group memberships, not in an optimal way, and it is > migrating any previous local profile of that name so as to be utilised in > a domain logon. That is not the same as creating a local account. Local > accounts in a domain are as welcome as... no, I'll stop there. *Not* > welcome. > > I'm sure you don't want to be lectured on security, but your subject line > does include the phrase 'best practice'. Whether your clients wish to hear > it or not, 'best practice' includes *never* giving users administrative > logons. With Vista, that is finally possible, as there is almost no job > that actually requires an admin to be logged on. So those users who can be > trusted can be given partial administrative accounts to use *from* their > unprivileged accounts. And that's *domain* accounts, which can be > controlled by policy, and which the user cannot reconfigure easily. > > That's not some theoretical ideal, a 'do as I say but not as I do' > proposition. I'm sitting now at one of my computers, my own personal > property, to which I've never logged in as administrator since the day it > was installed, and I never expect to do so. I do a lot more admin work on > it than most 'power users' ever do, but I take admin privileges only for > the duration of a particular job, in one window of my desktop. I have no > boss, so it's not control freakery, it's common sense. > > Quite apart from security, another 'best practice' is to maintain the > workstations of a network in as uniform and unconfigured a state as > possible, to make life much easier when one breaks. Ideally they should > all be identical, but for some reason, probably quantum, that doesn't seem > to be possible. > > Even if each user only ever logs on to one machine, it's still a good > idea. Do all the individual configuration using domain facilities, that's > what they're for. Altering the logon permissions of a couple of users is a > whole lot easier than looking up the documentation (!) for a couple of > machines and installing software and adjusting one to match what the other > used to be. > > -- > Joe |