Sign in with
Sign up | Sign in
Your question

2003 AD intergration with local Administrator Accounts on ..

Last response: in Windows 2000/NT
Share
Anonymous
January 21, 2005 10:51:21 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all we are migrating from NT4 to a windows 2003 server.

My users are all engineers that have local accounts on their pc's
each local account has full Administrator access so they can do
whatever they want with their pc. Currently their pc;s are configured
to work in a workgroup.


I would like all of these end users to be a part of our new domain.

A couple of questions come to mind.


1 How can AD be configured so that the user logging into the
domain has full control of their local pc but not admin access
of the actual domain.


2 Would I be correct in assuming that in the AD Scheme of things
that when a pc logs onto a AD that they are really becomming a
member server of the domain just like the method used for
adding say a workstation/server to a NT Domain



Thanks for your insight and assistance.

Josh.
Anonymous
January 22, 2005 2:52:25 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

1. The restricted groups feature of Gp makes this easy to implement on a
large scale. Just define the Administrators group and put everyone you want
in there (inc domain admins, local administrator account)

2. Yes, essentially. In AD, a workstation and a member server account are
identical, really.

--
--Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

www.briandesmond.com


"Josh Davis" <none@nospam.net> wrote in message
news:4283v0pi87l92fu4uufve9cq0cdrjm7vu5@4ax.com...
> Hi all we are migrating from NT4 to a windows 2003 server.
>
> My users are all engineers that have local accounts on their pc's
> each local account has full Administrator access so they can do
> whatever they want with their pc. Currently their pc;s are configured
> to work in a workgroup.
>
>
> I would like all of these end users to be a part of our new domain.
>
> A couple of questions come to mind.
>
>
> 1 How can AD be configured so that the user logging into the
> domain has full control of their local pc but not admin access
> of the actual domain.
>
>
> 2 Would I be correct in assuming that in the AD Scheme of things
> that when a pc logs onto a AD that they are really becomming a
> member server of the domain just like the method used for
> adding say a workstation/server to a NT Domain
>
>
>
> Thanks for your insight and assistance.
>
> Josh.
>
>
Anonymous
January 22, 2005 10:30:17 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Set up the Domain. Make sure that you create a user account object for each
of these users. You will have to join each of the workstations to the
domain ( well, you do not have to..... ). Then, the users can log on with
their domain user account object. You can make sure that they keep the
settings and such if you use Windows Explorer on each computer....

Each workstation is joined to the domain in the usual fashion. Just make
sure that DNS is configured correctly. You want to have only your internal
DNS Server information being handed out to the clients ( usually via DHCP ).
Do not include your ISP's DNS Server information. That belongs in the
Forwarders tab ( in the DNS MMC ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Josh Davis" <none@nospam.net> wrote in message
news:4283v0pi87l92fu4uufve9cq0cdrjm7vu5@4ax.com...
> Hi all we are migrating from NT4 to a windows 2003 server.
>
> My users are all engineers that have local accounts on their pc's
> each local account has full Administrator access so they can do
> whatever they want with their pc. Currently their pc;s are configured
> to work in a workgroup.
>
>
> I would like all of these end users to be a part of our new domain.
>
> A couple of questions come to mind.
>
>
> 1 How can AD be configured so that the user logging into the
> domain has full control of their local pc but not admin access
> of the actual domain.
>
>
> 2 Would I be correct in assuming that in the AD Scheme of things
> that when a pc logs onto a AD that they are really becomming a
> member server of the domain just like the method used for
> adding say a workstation/server to a NT Domain
>
>
>
> Thanks for your insight and assistance.
>
> Josh.
>
>
Related resources
Anonymous
January 23, 2005 3:45:14 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

>1 How can AD be configured so that the user logging into the domain
>has full control of their local pc but not admin access of the actual
>domain.

Yes, I do it all the time. Create the Users Domain Accounts as regular
users. After adding the workstation to the Domain go to the Computer
Management - Users and add the Users Domain Account to the local
administrators group on the local workstation. Computer management
can be done remotely once workstation is joined to a domain so you
don’t have to be sitting at the machine.

>Would I be correct in assuming that in the AD Scheme of things that
>when a pc logs onto a AD that they are really becomming a member
>server of the domain just like the method used for adding say a
>workstation/server to a NT Domain

Actually they are a workstation in the domain, just like NT. A Member
server is actually Windows 2000/03 server joined to the domain but not
as a DC.

Check out my website to make sure you setup DNS correctly. Also when
creating the Domain name, it is recommended to use the .local
extension instead of a public one like .com or .net.

http://www.sd61.bc.ca/windows2000

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-2003-AD-i...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=784834
Anonymous
January 23, 2005 4:27:40 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks for the help guys I appreciate your time.

Regards.... Josh
Anonymous
January 23, 2005 4:46:28 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks Lara... great info..

Josh..






On 23 Jan 2005 00:45:14 -0500, lforbes
<UseLinkToEmail@WindowsForumz.com> wrote:

>Hi,
>
>>1 How can AD be configured so that the user logging into the domain
>>has full control of their local pc but not admin access of the actual
>>domain.
>
>Yes, I do it all the time. Create the Users Domain Accounts as regular
>users. After adding the workstation to the Domain go to the Computer
>Management - Users and add the Users Domain Account to the local
>administrators group on the local workstation. Computer management
>can be done remotely once workstation is joined to a domain so you
>don’t have to be sitting at the machine.
>
>>Would I be correct in assuming that in the AD Scheme of things that
>>when a pc logs onto a AD that they are really becomming a member
>>server of the domain just like the method used for adding say a
>>workstation/server to a NT Domain
>
>Actually they are a workstation in the domain, just like NT. A Member
>server is actually Windows 2000/03 server joined to the domain but not
>as a DC.
>
>Check out my website to make sure you setup DNS correctly. Also when
>creating the Domain name, it is recommended to use the .local
>extension instead of a public one like .com or .net.
>
>http://www.sd61.bc.ca/windows2000
>
>Cheers,
>
>Lara
Anonymous
January 23, 2005 4:58:30 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Gary I normally assign isp's DNS setting via DHCP, Surely if
a local caching dns internal server is set up for ad intergration
there is no need to use the forwarder tab. I am real curious about
this can you give me some more info on this.

The specific reason I assign via dhcp is that if the internal dns
server dies my users can still access internet web pages.

Thnaks Josh.






On Sat, 22 Jan 2005 19:30:17 -0500, "Cary Shultz [A.D. MVP]"
<cwshultz@mvps.org> wrote:

>Set up the Domain. Make sure that you create a user account object for each
>of these users. You will have to join each of the workstations to the
>domain ( well, you do not have to..... ). Then, the users can log on with
>their domain user account object. You can make sure that they keep the
>settings and such if you use Windows Explorer on each computer....
>
>Each workstation is joined to the domain in the usual fashion. Just make
>sure that DNS is configured correctly. You want to have only your internal
>DNS Server information being handed out to the clients ( usually via DHCP ).
>Do not include your ISP's DNS Server information. That belongs in the
>Forwarders tab ( in the DNS MMC ).
Anonymous
January 23, 2005 8:31:09 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

BAD! BAD! BAD!

The only DNS Server information that your local clients should ever ever
ever use is your INTERNAL DNS Server(s). There should never never never be
any mention of any outside DNS Server(s).

Why? Because your clients need to be able to find and resolve SRV records.
These are the 'Service Records' in your DNS. They help your clients find
such things as Domain Controllers and Global Catalog Servers - among others.
If they can not resolve these records then there is going to be a lot of fun
things going on......not fun for your user base, fun for you! ;-)

Please take a look at the following MSKB Articles:

http://support.microsoft.com/?id=247811
http://support.microsoft.com/?id=314861

I might rethink your setup and change it immediately. Meaning, change your
DHCP options and remove any mention of any 'external' DNS Server(s).

And you do not need to use the Forwarders tab. The Root Hints are available
as soon as you delete the "." zone in your Forward Lookup Zone in the DNS
MMC ( well, it does take a few minutes for them to become available ). But
that is a long-standing battle in the DNS news group. Do you use the Root
Hints or Forwarders tab? If you do input information in the Forwarders tab
then it is used first and in the event that it is not able to do anything
the Root Hints come into play.

Can not tell you what to do....can only suggest things.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Josh Davis" <none@nospam.net> wrote in message
news:6fi6v0t1ikkvqiarp3re1re28o2o0o2lc5@4ax.com...
> Hi Gary I normally assign isp's DNS setting via DHCP, Surely if
> a local caching dns internal server is set up for ad intergration
> there is no need to use the forwarder tab. I am real curious about
> this can you give me some more info on this.
>
> The specific reason I assign via dhcp is that if the internal dns
> server dies my users can still access internet web pages.
>
> Thnaks Josh.
>
>
>
>
>
>
> On Sat, 22 Jan 2005 19:30:17 -0500, "Cary Shultz [A.D. MVP]"
> <cwshultz@mvps.org> wrote:
>
>>Set up the Domain. Make sure that you create a user account object for
>>each
>>of these users. You will have to join each of the workstations to the
>>domain ( well, you do not have to..... ). Then, the users can log on with
>>their domain user account object. You can make sure that they keep the
>>settings and such if you use Windows Explorer on each computer....
>>
>>Each workstation is joined to the domain in the usual fashion. Just make
>>sure that DNS is configured correctly. You want to have only your
>>internal
>>DNS Server information being handed out to the clients ( usually via
>>DHCP ).
>>Do not include your ISP's DNS Server information. That belongs in the
>>Forwarders tab ( in the DNS MMC ).
>
Anonymous
January 23, 2005 7:45:19 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Cary, I appreciate your insight but found for some reason in
the past that over time my internal dns server got dog slow and
in certain cases was simply unable to resolve webpages from internal
clients, now perhaps I had something configured incorrectly so I shall
review again and give what you suggest a go.

In my orignal DHCP config I handed out DNS servers in order. Two
external and then the local internal one. My thinking was that this
top down aproach would work like this since internal name resolution
was via wins.

1 Client requests web page.
Client looks at its own routing info, hits first external dns,
then second if no response.

Thanks. Josh.






On Sun, 23 Jan 2005 05:31:09 -0500, "Cary Shultz [A.D. MVP]"
<cwshultz@mvps.org> wrote:

>BAD! BAD! BAD!
>
>The only DNS Server information that your local clients should ever ever
>ever use is your INTERNAL DNS Server(s). There should never never never be
>any mention of any outside DNS Server(s).
>
>Why? Because your clients need to be able to find and resolve SRV records.
>These are the 'Service Records' in your DNS. They help your clients find
>such things as Domain Controllers and Global Catalog Servers - among others.
>If they can not resolve these records then there is going to be a lot of fun
>things going on......not fun for your user base, fun for you! ;-)
>
>Please take a look at the following MSKB Articles:
>
>http://support.microsoft.com/?id=247811
>http://support.microsoft.com/?id=314861
>
>I might rethink your setup and change it immediately. Meaning, change your
>DHCP options and remove any mention of any 'external' DNS Server(s).
>
>And you do not need to use the Forwarders tab. The Root Hints are available
>as soon as you delete the "." zone in your Forward Lookup Zone in the DNS
>MMC ( well, it does take a few minutes for them to become available ). But
>that is a long-standing battle in the DNS news group. Do you use the Root
>Hints or Forwarders tab? If you do input information in the Forwarders tab
>then it is used first and in the event that it is not able to do anything
>the Root Hints come into play.
>
>Can not tell you what to do....can only suggest things.
Anonymous
January 24, 2005 1:12:28 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I'll jump in with a couple of points if I may...

Firstly, the second (and third, etc.) DNS server is only ever used if the
first cannot be contacted. So, if the first cannot resolve a name it sends
a negative reply and this is used. The second is not then used.

Secondly, WINS is no longer the primary name resolution mechanism. DNS now
is. This means that any client configured with a DNS server will use that
to try and resolve the SRV records. If a negative reply is received, this
is 'used' and cached.

In an NT5.x-based network infrastructure (an AD forest) you **must** use an
internal DNS server that is authorative for the DNS namespace that maps to
the AD domain name. You cannot point to external name servers. 99% of us
need to resolve external names, so this is usually achieved either through
forwarders or a proxy. Yes, an external DNS server is often noticeably
quicker than an internal one, but if this is causing a problem I suggest
implementing a proxy server. You might also find a caching only DNS server
helpful in conjunction with your proxy.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


"Josh Davis" <none@nospam.net> wrote in message
news:o s58v0ldq7m89ck9rgomielshmcfpm5a1i@4ax.com...
Hi Cary, I appreciate your insight but found for some reason in
the past that over time my internal dns server got dog slow and
in certain cases was simply unable to resolve webpages from internal
clients, now perhaps I had something configured incorrectly so I shall
review again and give what you suggest a go.

In my orignal DHCP config I handed out DNS servers in order. Two
external and then the local internal one. My thinking was that this
top down aproach would work like this since internal name resolution
was via wins.

1 Client requests web page.
Client looks at its own routing info, hits first external dns,
then second if no response.

Thanks. Josh.






On Sun, 23 Jan 2005 05:31:09 -0500, "Cary Shultz [A.D. MVP]"
<cwshultz@mvps.org> wrote:

>BAD! BAD! BAD!
>
>The only DNS Server information that your local clients should ever ever
>ever use is your INTERNAL DNS Server(s). There should never never never be
>any mention of any outside DNS Server(s).
>
>Why? Because your clients need to be able to find and resolve SRV records.
>These are the 'Service Records' in your DNS. They help your clients find
>such things as Domain Controllers and Global Catalog Servers - among
>others.
>If they can not resolve these records then there is going to be a lot of
>fun
>things going on......not fun for your user base, fun for you! ;-)
>
>Please take a look at the following MSKB Articles:
>
>http://support.microsoft.com/?id=247811
>http://support.microsoft.com/?id=314861
>
>I might rethink your setup and change it immediately. Meaning, change your
>DHCP options and remove any mention of any 'external' DNS Server(s).
>
>And you do not need to use the Forwarders tab. The Root Hints are
>available
>as soon as you delete the "." zone in your Forward Lookup Zone in the DNS
>MMC ( well, it does take a few minutes for them to become available ). But
>that is a long-standing battle in the DNS news group. Do you use the Root
>Hints or Forwarders tab? If you do input information in the Forwarders tab
>then it is used first and in the event that it is not able to do anything
>the Root Hints come into play.
>
>Can not tell you what to do....can only suggest things.
!