From: Geckoloco on
Hi all,

I went to a client this week to see their system architecture and I was
surprised with the configuration. Let me explain :

The server is a Win2003 with AD (domain name "example.local") and all
the users account were configured. Seems ok to me.
But when I went on a user's computer, it wasn't declared on the domain
but was configured on a workgroup called "example.local".
Never seen this...
The client did access to the server's share with her account (the same
that was configured on the server).

How is this possible ? I fought the clients had to be on the domain to
access the server.
Could someone explain me this configuration please ?

Thanks.
From: Brandon McCombs on
Geckoloco wrote:
> Hi all,
>
> I went to a client this week to see their system architecture and I was
> surprised with the configuration. Let me explain :
>
> The server is a Win2003 with AD (domain name "example.local") and all
> the users account were configured. Seems ok to me.
> But when I went on a user's computer, it wasn't declared on the domain
> but was configured on a workgroup called "example.local".
> Never seen this...
> The client did access to the server's share with her account (the same
> that was configured on the server).
>
> How is this possible ? I fought the clients had to be on the domain to
> access the server.
> Could someone explain me this configuration please ?
>
> Thanks.

Anyone can access a server share as long as they have the right to do
so. The right being defined by the ACLs on the server share. Being that
the clients aren't on the domain though the users will have to
authenticate before they access any domain resource. Sounds like both
you and your client need to learn a bit more about ADS, especially your
client since they have no idea how to setup a domain properly. Access to
server shares is a basic function of a domain (and workgroup for that
matter).
From: Geckoloco on
Brandon McCombs a �crit :
> Geckoloco wrote:
>> Hi all,
>>
>> I went to a client this week to see their system architecture and I
>> was surprised with the configuration. Let me explain :
>>
>> The server is a Win2003 with AD (domain name "example.local") and all
>> the users account were configured. Seems ok to me.
>> But when I went on a user's computer, it wasn't declared on the domain
>> but was configured on a workgroup called "example.local".
>> Never seen this...
>> The client did access to the server's share with her account (the same
>> that was configured on the server).
>>
>> How is this possible ? I fought the clients had to be on the domain to
>> access the server.
>> Could someone explain me this configuration please ?
>>
>> Thanks.
>
> Anyone can access a server share as long as they have the right to do
> so. The right being defined by the ACLs on the server share. Being that
> the clients aren't on the domain though the users will have to
> authenticate before they access any domain resource. Sounds like both
> you and your client need to learn a bit more about ADS, especially your
> client since they have no idea how to setup a domain properly. Access to
> server shares is a basic function of a domain (and workgroup for that
> matter).

Thanks for the answer.
I knew that users must authenticate on the server to access the shares
but I didn't know this type of configuration.
- If the client didn't had for workgroup the same name as the domain,
the user would have to authenticate the first time he access the share,
right ? (as opposite, now they just open their session and it works)
- What's the use of naming the workgroup the same as the domain ? I
don't get it.
- Are groups working for defining shares' access in this type of
configuration ? (server alone in domain and clients in workgroup)

I already configured AD with DNS, DHCP, etc with clients declared in the
domain but this config makes me sceptic. The AD is useless in this case,
they could've configured the users without AD, am I correct ?
From: Hank Arnold (MVP) on
Geckoloco wrote:
> Brandon McCombs a �crit :
>> Geckoloco wrote:
>>> Hi all,
>>>
>>> I went to a client this week to see their system architecture and I
>>> was surprised with the configuration. Let me explain :
>>>
>>> The server is a Win2003 with AD (domain name "example.local") and all
>>> the users account were configured. Seems ok to me.
>>> But when I went on a user's computer, it wasn't declared on the
>>> domain but was configured on a workgroup called "example.local".
>>> Never seen this...
>>> The client did access to the server's share with her account (the
>>> same that was configured on the server).
>>>
>>> How is this possible ? I fought the clients had to be on the domain
>>> to access the server.
>>> Could someone explain me this configuration please ?
>>>
>>> Thanks.
>>
>> Anyone can access a server share as long as they have the right to do
>> so. The right being defined by the ACLs on the server share. Being
>> that the clients aren't on the domain though the users will have to
>> authenticate before they access any domain resource. Sounds like both
>> you and your client need to learn a bit more about ADS, especially
>> your client since they have no idea how to setup a domain properly.
>> Access to server shares is a basic function of a domain (and workgroup
>> for that matter).
>
> Thanks for the answer.
> I knew that users must authenticate on the server to access the shares
> but I didn't know this type of configuration.
> - If the client didn't had for workgroup the same name as the domain,
> the user would have to authenticate the first time he access the share,
> right ? (as opposite, now they just open their session and it works)
> - What's the use of naming the workgroup the same as the domain ? I
> don't get it.
> - Are groups working for defining shares' access in this type of
> configuration ? (server alone in domain and clients in workgroup)
>
> I already configured AD with DNS, DHCP, etc with clients declared in the
> domain but this config makes me sceptic. The AD is useless in this case,
> they could've configured the users without AD, am I correct ?

The work group name was not important. Having the same name as the
domain *could* have some negative impacts, but what made it work was
that the user name/account & password were the same as the domain user
name/account & password. When you try to access a network resource,
WIndows automaticaly sends the username and password used to logon to
the server handling the resource. If it matches the credentials on the
server, it then allows access per the security settings.

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
From: Meinolf Weber on
Hello Geckoloco,

Doesn't matter if the wokgroup name is the same as the domain name. The authentication
to the domain works also if the machine is not a domain member, as you can
see with the share access. Important is the correct username/password for
the domain account and you can login.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi all,
>
> I went to a client this week to see their system architecture and I
> was surprised with the configuration. Let me explain :
>
> The server is a Win2003 with AD (domain name "example.local") and all
> the users account were configured. Seems ok to me.
> But when I went on a user's computer, it wasn't declared on the domain
> but was configured on a workgroup called "example.local".
> Never seen this...
> The client did access to the server's share with her account (the same
> that was configured on the server).
> How is this possible ? I fought the clients had to be on the domain to
> access the server.
> Could someone explain me this configuration please ?
> Thanks.
>