local and global user accounts

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

I'm having trouble understanding local and global users and I was wondering if
someone could help me out.
In these Windows NT Server books, they always talking about users and accounts.
Are they the same thing like: are Local users the same thing as local
accounts??
The same goes for global users as opposed to global accounts??

Second:

Please let me know if I'm understanding this correctly-

* On a local workstation or server in a non-domain environment, if the person
needed to use the machine is placed in the "User" group, this person has a
local account or is a local user in a local group. The person can log
interactively by default into the machine.

* On a domain, through User Manager for Domains on I guess the PDC, if a user
is entered into the "User" group, by default, it is a global user account in a
local group. This person can log in interactively if the policies are set up to
allow it on the PDC.

If the Administrator had selected "Local Account for users from unrtusted
domains" in the Account menu in the User Manager for Domain, while adding this
person to the "User" group, would they be a local user in a local group??

Does the local account/local user appears in all domain controllers. Since the
SAM is replicated to them, can this user log on to all domain controllers
through a network logon or only into the PBC through a network logon??

* Finally, if the Administrator had instead added the user to the "Domain
Users" group, and had selected "local account" in the accounts box, can the
user log on to all computers and domain controllers through a network logon on
that domain?? Wouldn't that user be a local user belonging to a global group??

I would greatly appreciate any help you could extend to me on this matter.

Thanks.

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

OK. Here it is.

If you wanted to logon to a Windows NT workstation you
would need a user account on that particular workstation.
If you had three+ workstations you would need one user
account on each workstation. What a domain does is
provide one logon for multiple workstations for each
user. So if you have 3,000 users that need to logon to
three+ workstations it is simpler to just add the
workstations to a domain so that you only need to create
3,000 accounts, which would be on the PDC.

A group is only a collection of users with the exception
of the built in groups.

For a local (non-domain) workstation you typically have:

Administrators
Power users
Users

In a domain and only on the Domain Controller you have:

Domain Admins
Account Operators
Domain Users
And a lot others....

When you add a workstation to a domain the Domain Admins
group is automatically added to the workstations Local
Administrators group. this is what gives the Domain Admin
God Like rights over all domain workstations.

The Account Operators group only permits users of that
group the ability to create user accounts on the PDC, but
not on the individual workstations.

The groups come in handy when you need to assign access
rights to a group of users. For example if bsmith has a
domain account on the ACCOUNTING domain and he belonged
to a group called ACCOUNTANTS and DOMAIN USERS and he
want to access a share on another computer you could
setup the security to allow any of the following:

ACCOUNTING\DOMAIN USERS
ACCOUNTING\BSMITH
ACCOUNTING\ACCOUNTANTS

The first and third would allow everyone who belongs to
those groups to access the share or you could just allow
ACCOUNTING\BSMITH to access the share. So basically you
use groups to allow more than one user to access a domain
or computer resource.

The groups are not necessary to give a user a global
account. Try this from a workstation:

Go to a DOS prompt and type:

net user test 111111 /add

try to logon to any workstation. The user account will
only work on the workstation you created it on. Now go
back to the same workstation and type:

net user test 111111 /domain /add

Do not replace the word domain

Now try to logon to any workstation. You should be able
to because the account is not global. So you basically
now have toaccounts called test. One that was created
locally on the workstation and one that is create on the
PDC.

Hope this helps.


Shawn






>-----Original Message-----
>I'm having trouble understanding local and global users
and I was wondering if
>someone could help me out.
>In these Windows NT Server books, they always talking
about users and accounts.
>Are they the same thing like: are Local users the same
thing as local
>accounts??
>The same goes for global users as opposed to global
accounts??
>
>Second:
>
>Please let me know if I'm understanding this correctly-
>
>* On a local workstation or server in a non-domain
environment, if the person
>needed to use the machine is placed in the "User" group,
this person has a
>local account or is a local user in a local group. The
person can log
>interactively by default into the machine.
>
>* On a domain, through User Manager for Domains on I
guess the PDC, if a user
>is entered into the "User" group, by default, it is a
global user account in a
>local group. This person can log in interactively if the
policies are set up to
>allow it on the PDC.
>
>If the Administrator had selected "Local Account for
users from unrtusted
>domains" in the Account menu in the User Manager for
Domain, while adding this
>person to the "User" group, would they be a local user
in a local group??
>
>Does the local account/local user appears in all domain
controllers. Since the
>SAM is replicated to them, can this user log on to all
domain controllers
>through a network logon or only into the PBC through a
network logon??
>
>* Finally, if the Administrator had instead added the
user to the "Domain
>Users" group, and had selected "local account" in the
accounts box, can the
>user log on to all computers and domain controllers
through a network logon on
>that domain?? Wouldn't that user be a local user
belonging to a global group??
>
>I would greatly appreciate any help you could extend to
me on this matter.
>
>Thanks.
>
>
>.
>