2003 AD intergration with local Administrator Accounts on ..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all we are migrating from NT4 to a windows 2003 server.

My users are all engineers that have local accounts on their pc's
each local account has full Administrator access so they can do
whatever they want with their pc. Currently their pc;s are configured
to work in a workgroup.


I would like all of these end users to be a part of our new domain.

A couple of questions come to mind.


1 How can AD be configured so that the user logging into the
domain has full control of their local pc but not admin access
of the actual domain.


2 Would I be correct in assuming that in the AD Scheme of things
that when a pc logs onto a AD that they are really becomming a
member server of the domain just like the method used for
adding say a workstation/server to a NT Domain


Thanks for your insight and assistance.

Josh.
9 answers Last reply
More about 2003 intergration local administrator accounts
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    1. The restricted groups feature of Gp makes this easy to implement on a
    large scale. Just define the Administrators group and put everyone you want
    in there (inc domain admins, local administrator account)

    2. Yes, essentially. In AD, a workstation and a member server account are
    identical, really.

    --
    --Brian Desmond
    Windows Server MVP
    desmondb@payton.cps.k12.il.us

    www.briandesmond.com


    "Josh Davis" <none@nospam.net> wrote in message
    news:4283v0pi87l92fu4uufve9cq0cdrjm7vu5@4ax.com...
    > Hi all we are migrating from NT4 to a windows 2003 server.
    >
    > My users are all engineers that have local accounts on their pc's
    > each local account has full Administrator access so they can do
    > whatever they want with their pc. Currently their pc;s are configured
    > to work in a workgroup.
    >
    >
    > I would like all of these end users to be a part of our new domain.
    >
    > A couple of questions come to mind.
    >
    >
    > 1 How can AD be configured so that the user logging into the
    > domain has full control of their local pc but not admin access
    > of the actual domain.
    >
    >
    > 2 Would I be correct in assuming that in the AD Scheme of things
    > that when a pc logs onto a AD that they are really becomming a
    > member server of the domain just like the method used for
    > adding say a workstation/server to a NT Domain
    >
    >
    >
    > Thanks for your insight and assistance.
    >
    > Josh.
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Set up the Domain. Make sure that you create a user account object for each
    of these users. You will have to join each of the workstations to the
    domain ( well, you do not have to..... ). Then, the users can log on with
    their domain user account object. You can make sure that they keep the
    settings and such if you use Windows Explorer on each computer....

    Each workstation is joined to the domain in the usual fashion. Just make
    sure that DNS is configured correctly. You want to have only your internal
    DNS Server information being handed out to the clients ( usually via DHCP ).
    Do not include your ISP's DNS Server information. That belongs in the
    Forwarders tab ( in the DNS MMC ).

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Josh Davis" <none@nospam.net> wrote in message
    news:4283v0pi87l92fu4uufve9cq0cdrjm7vu5@4ax.com...
    > Hi all we are migrating from NT4 to a windows 2003 server.
    >
    > My users are all engineers that have local accounts on their pc's
    > each local account has full Administrator access so they can do
    > whatever they want with their pc. Currently their pc;s are configured
    > to work in a workgroup.
    >
    >
    > I would like all of these end users to be a part of our new domain.
    >
    > A couple of questions come to mind.
    >
    >
    > 1 How can AD be configured so that the user logging into the
    > domain has full control of their local pc but not admin access
    > of the actual domain.
    >
    >
    > 2 Would I be correct in assuming that in the AD Scheme of things
    > that when a pc logs onto a AD that they are really becomming a
    > member server of the domain just like the method used for
    > adding say a workstation/server to a NT Domain
    >
    >
    >
    > Thanks for your insight and assistance.
    >
    > Josh.
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi,

    >1 How can AD be configured so that the user logging into the domain
    >has full control of their local pc but not admin access of the actual
    >domain.

    Yes, I do it all the time. Create the Users Domain Accounts as regular
    users. After adding the workstation to the Domain go to the Computer
    Management - Users and add the Users Domain Account to the local
    administrators group on the local workstation. Computer management
    can be done remotely once workstation is joined to a domain so you
    don’t have to be sitting at the machine.

    >Would I be correct in assuming that in the AD Scheme of things that
    >when a pc logs onto a AD that they are really becomming a member
    >server of the domain just like the method used for adding say a
    >workstation/server to a NT Domain

    Actually they are a workstation in the domain, just like NT. A Member
    server is actually Windows 2000/03 server joined to the domain but not
    as a DC.

    Check out my website to make sure you setup DNS correctly. Also when
    creating the Domain name, it is recommended to use the .local
    extension instead of a public one like .com or .net.

    http://www.sd61.bc.ca/windows2000

    Cheers,

    Lara

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Active-Directory-2003-AD-intergration-local-Administrator-Accounts-xp-win2k-ftopict254216.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=784834
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks for the help guys I appreciate your time.

    Regards.... Josh
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks Lara... great info..

    Josh..


    On 23 Jan 2005 00:45:14 -0500, lforbes
    <UseLinkToEmail@WindowsForumz.com> wrote:

    >Hi,
    >
    >>1 How can AD be configured so that the user logging into the domain
    >>has full control of their local pc but not admin access of the actual
    >>domain.
    >
    >Yes, I do it all the time. Create the Users Domain Accounts as regular
    >users. After adding the workstation to the Domain go to the Computer
    >Management - Users and add the Users Domain Account to the local
    >administrators group on the local workstation. Computer management
    >can be done remotely once workstation is joined to a domain so you
    >don’t have to be sitting at the machine.
    >
    >>Would I be correct in assuming that in the AD Scheme of things that
    >>when a pc logs onto a AD that they are really becomming a member
    >>server of the domain just like the method used for adding say a
    >>workstation/server to a NT Domain
    >
    >Actually they are a workstation in the domain, just like NT. A Member
    >server is actually Windows 2000/03 server joined to the domain but not
    >as a DC.
    >
    >Check out my website to make sure you setup DNS correctly. Also when
    >creating the Domain name, it is recommended to use the .local
    >extension instead of a public one like .com or .net.
    >
    >http://www.sd61.bc.ca/windows2000
    >
    >Cheers,
    >
    >Lara
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Gary I normally assign isp's DNS setting via DHCP, Surely if
    a local caching dns internal server is set up for ad intergration
    there is no need to use the forwarder tab. I am real curious about
    this can you give me some more info on this.

    The specific reason I assign via dhcp is that if the internal dns
    server dies my users can still access internet web pages.

    Thnaks Josh.


    On Sat, 22 Jan 2005 19:30:17 -0500, "Cary Shultz [A.D. MVP]"
    <cwshultz@mvps.org> wrote:

    >Set up the Domain. Make sure that you create a user account object for each
    >of these users. You will have to join each of the workstations to the
    >domain ( well, you do not have to..... ). Then, the users can log on with
    >their domain user account object. You can make sure that they keep the
    >settings and such if you use Windows Explorer on each computer....
    >
    >Each workstation is joined to the domain in the usual fashion. Just make
    >sure that DNS is configured correctly. You want to have only your internal
    >DNS Server information being handed out to the clients ( usually via DHCP ).
    >Do not include your ISP's DNS Server information. That belongs in the
    >Forwarders tab ( in the DNS MMC ).
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    BAD! BAD! BAD!

    The only DNS Server information that your local clients should ever ever
    ever use is your INTERNAL DNS Server(s). There should never never never be
    any mention of any outside DNS Server(s).

    Why? Because your clients need to be able to find and resolve SRV records.
    These are the 'Service Records' in your DNS. They help your clients find
    such things as Domain Controllers and Global Catalog Servers - among others.
    If they can not resolve these records then there is going to be a lot of fun
    things going on......not fun for your user base, fun for you! ;-)

    Please take a look at the following MSKB Articles:

    http://support.microsoft.com/?id=247811
    http://support.microsoft.com/?id=314861

    I might rethink your setup and change it immediately. Meaning, change your
    DHCP options and remove any mention of any 'external' DNS Server(s).

    And you do not need to use the Forwarders tab. The Root Hints are available
    as soon as you delete the "." zone in your Forward Lookup Zone in the DNS
    MMC ( well, it does take a few minutes for them to become available ). But
    that is a long-standing battle in the DNS news group. Do you use the Root
    Hints or Forwarders tab? If you do input information in the Forwarders tab
    then it is used first and in the event that it is not able to do anything
    the Root Hints come into play.

    Can not tell you what to do....can only suggest things.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Josh Davis" <none@nospam.net> wrote in message
    news:6fi6v0t1ikkvqiarp3re1re28o2o0o2lc5@4ax.com...
    > Hi Gary I normally assign isp's DNS setting via DHCP, Surely if
    > a local caching dns internal server is set up for ad intergration
    > there is no need to use the forwarder tab. I am real curious about
    > this can you give me some more info on this.
    >
    > The specific reason I assign via dhcp is that if the internal dns
    > server dies my users can still access internet web pages.
    >
    > Thnaks Josh.
    >
    >
    >
    >
    >
    >
    > On Sat, 22 Jan 2005 19:30:17 -0500, "Cary Shultz [A.D. MVP]"
    > <cwshultz@mvps.org> wrote:
    >
    >>Set up the Domain. Make sure that you create a user account object for
    >>each
    >>of these users. You will have to join each of the workstations to the
    >>domain ( well, you do not have to..... ). Then, the users can log on with
    >>their domain user account object. You can make sure that they keep the
    >>settings and such if you use Windows Explorer on each computer....
    >>
    >>Each workstation is joined to the domain in the usual fashion. Just make
    >>sure that DNS is configured correctly. You want to have only your
    >>internal
    >>DNS Server information being handed out to the clients ( usually via
    >>DHCP ).
    >>Do not include your ISP's DNS Server information. That belongs in the
    >>Forwarders tab ( in the DNS MMC ).
    >
  8. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Cary, I appreciate your insight but found for some reason in
    the past that over time my internal dns server got dog slow and
    in certain cases was simply unable to resolve webpages from internal
    clients, now perhaps I had something configured incorrectly so I shall
    review again and give what you suggest a go.

    In my orignal DHCP config I handed out DNS servers in order. Two
    external and then the local internal one. My thinking was that this
    top down aproach would work like this since internal name resolution
    was via wins.

    1 Client requests web page.
    Client looks at its own routing info, hits first external dns,
    then second if no response.

    Thanks. Josh.


    On Sun, 23 Jan 2005 05:31:09 -0500, "Cary Shultz [A.D. MVP]"
    <cwshultz@mvps.org> wrote:

    >BAD! BAD! BAD!
    >
    >The only DNS Server information that your local clients should ever ever
    >ever use is your INTERNAL DNS Server(s). There should never never never be
    >any mention of any outside DNS Server(s).
    >
    >Why? Because your clients need to be able to find and resolve SRV records.
    >These are the 'Service Records' in your DNS. They help your clients find
    >such things as Domain Controllers and Global Catalog Servers - among others.
    >If they can not resolve these records then there is going to be a lot of fun
    >things going on......not fun for your user base, fun for you! ;-)
    >
    >Please take a look at the following MSKB Articles:
    >
    >http://support.microsoft.com/?id=247811
    >http://support.microsoft.com/?id=314861
    >
    >I might rethink your setup and change it immediately. Meaning, change your
    >DHCP options and remove any mention of any 'external' DNS Server(s).
    >
    >And you do not need to use the Forwarders tab. The Root Hints are available
    >as soon as you delete the "." zone in your Forward Lookup Zone in the DNS
    >MMC ( well, it does take a few minutes for them to become available ). But
    >that is a long-standing battle in the DNS news group. Do you use the Root
    >Hints or Forwarders tab? If you do input information in the Forwarders tab
    >then it is used first and in the event that it is not able to do anything
    >the Root Hints come into play.
    >
    >Can not tell you what to do....can only suggest things.
  9. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I'll jump in with a couple of points if I may...

    Firstly, the second (and third, etc.) DNS server is only ever used if the
    first cannot be contacted. So, if the first cannot resolve a name it sends
    a negative reply and this is used. The second is not then used.

    Secondly, WINS is no longer the primary name resolution mechanism. DNS now
    is. This means that any client configured with a DNS server will use that
    to try and resolve the SRV records. If a negative reply is received, this
    is 'used' and cached.

    In an NT5.x-based network infrastructure (an AD forest) you **must** use an
    internal DNS server that is authorative for the DNS namespace that maps to
    the AD domain name. You cannot point to external name servers. 99% of us
    need to resolve external names, so this is usually achieved either through
    forwarders or a proxy. Yes, an external DNS server is often noticeably
    quicker than an internal one, but if this is causing a problem I suggest
    implementing a proxy server. You might also find a caching only DNS server
    helpful in conjunction with your proxy.

    --

    Paul Williams

    http://www.msresource.net
    http://forums.msresource.net


    "Josh Davis" <none@nospam.net> wrote in message
    news:os58v0ldq7m89ck9rgomielshmcfpm5a1i@4ax.com...
    Hi Cary, I appreciate your insight but found for some reason in
    the past that over time my internal dns server got dog slow and
    in certain cases was simply unable to resolve webpages from internal
    clients, now perhaps I had something configured incorrectly so I shall
    review again and give what you suggest a go.

    In my orignal DHCP config I handed out DNS servers in order. Two
    external and then the local internal one. My thinking was that this
    top down aproach would work like this since internal name resolution
    was via wins.

    1 Client requests web page.
    Client looks at its own routing info, hits first external dns,
    then second if no response.

    Thanks. Josh.


    On Sun, 23 Jan 2005 05:31:09 -0500, "Cary Shultz [A.D. MVP]"
    <cwshultz@mvps.org> wrote:

    >BAD! BAD! BAD!
    >
    >The only DNS Server information that your local clients should ever ever
    >ever use is your INTERNAL DNS Server(s). There should never never never be
    >any mention of any outside DNS Server(s).
    >
    >Why? Because your clients need to be able to find and resolve SRV records.
    >These are the 'Service Records' in your DNS. They help your clients find
    >such things as Domain Controllers and Global Catalog Servers - among
    >others.
    >If they can not resolve these records then there is going to be a lot of
    >fun
    >things going on......not fun for your user base, fun for you! ;-)
    >
    >Please take a look at the following MSKB Articles:
    >
    >http://support.microsoft.com/?id=247811
    >http://support.microsoft.com/?id=314861
    >
    >I might rethink your setup and change it immediately. Meaning, change your
    >DHCP options and remove any mention of any 'external' DNS Server(s).
    >
    >And you do not need to use the Forwarders tab. The Root Hints are
    >available
    >as soon as you delete the "." zone in your Forward Lookup Zone in the DNS
    >MMC ( well, it does take a few minutes for them to become available ). But
    >that is a long-standing battle in the DNS news group. Do you use the Root
    >Hints or Forwarders tab? If you do input information in the Forwarders tab
    >then it is used first and in the event that it is not able to do anything
    >the Root Hints come into play.
    >
    >Can not tell you what to do....can only suggest things.
Ask a new question

Read More

Windows Server 2003 Active Directory Servers Windows