2003 AD intergration with local Administrator Accounts on xp/win2k

[Josh Davis]

Hi all we are migrating from NT4 to a windows 2003 server.

My users are all engineers that have local accounts on their pc's
each local account has full Administrator access so they can do
whatever they want with their pc. Currently their pc;s are configured
to work in a workgroup.


I would like all of these end users to be a part of our new domain.

A couple of questions come to mind.


1 How can AD be configured so that the user logging into the
domain has full control of their local pc but not admin access
of the actual domain.


2 Would I be correct in assuming that in the AD Scheme of things
that when a pc logs onto a AD that they are really becomming a
member server of the domain just like the method used for
adding say a workstation/server to a NT Domain



Thanks for your insight and assistance.

Josh.

 

[Brian Desmond [MVP]]

1. The restricted groups feature of Gp makes this easy to implement on a
large scale. Just define the Administrators group and put everyone you want
in there (inc domain admins, local administrator account)

2. Yes, essentially. In AD, a workstation and a member server account are
identical, really.

--
--Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

www.briandesmond.com

 

[Cary Shultz [A.D. MVP]]

Set up the Domain. Make sure that you create a user account object for each
of these users. You will have to join each of the workstations to the
domain ( well, you do not have to..... ). Then, the users can log on with
their domain user account object. You can make sure that they keep the
settings and such if you use Windows Explorer on each computer....

Each workstation is joined to the domain in the usual fashion. Just make
sure that DNS is configured correctly. You want to have only your internal
DNS Server information being handed out to the clients ( usually via DHCP ).
Do not include your ISP's DNS Server information. That belongs in the
Forwarders tab ( in the DNS MMC ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[lforbes]

Hi,

1 How can AD be configured so that the user logging into the domain
has full control of their local pc but not admin access of the actual
domain.

Yes, I do it all the time. Create the Users Domain Accounts as regular
users. After adding the workstation to the Domain go to the Computer
Management - Users and add the Users Domain Account to the local
administrators group on the local workstation. Computer management
can be done remotely once workstation is joined to a domain so you
don’t have to be sitting at the machine.

Would I be correct in assuming that in the AD Scheme of things that
when a pc logs onto a AD that they are really becomming a member
server of the domain just like the method used for adding say a
workstation/server to a NT Domain

Actually they are a workstation in the domain, just like NT. A Member
server is actually Windows 2000/03 server joined to the domain but not
as a DC.

Check out my website to make sure you setup DNS correctly. Also when
creating the Domain name, it is recommended to use the .local
extension instead of a public one like .com or .net.

http://www.sd61.bc.ca/windows2000

Cheers,

Lara

 

[Josh Davis]

Thanks for the help guys I appreciate your time.

Regards.... Josh

 

[Josh Davis]

Thanks Lara... great info..

Josh..

Hi,


Yes, I do it all the time. Create the Users Domain Accounts as regular
users. After adding the workstation to the Domain go to the Computer
Management - Users and add the Users Domain Account to the local
administrators group on the local workstation. Computer management
can be done remotely once workstation is joined to a domain so you
don’t have to be sitting at the machine.


Actually they are a workstation in the domain, just like NT. A Member
server is actually Windows 2000/03 server joined to the domain but not
as a DC.

Check out my website to make sure you setup DNS correctly. Also when
creating the Domain name, it is recommended to use the .local
extension instead of a public one like .com or .net.

http://www.sd61.bc.ca/windows2000

Cheers,

Lara

 

[Josh Davis]

Hi Gary I normally assign isp's DNS setting via DHCP, Surely if
a local caching dns internal server is set up for ad intergration
there is no need to use the forwarder tab. I am real curious about
this can you give me some more info on this.

The specific reason I assign via dhcp is that if the internal dns
server dies my users can still access internet web pages.

Thnaks Josh.

 

[Cary Shultz [A.D. MVP]]

BAD! BAD! BAD!

The only DNS Server information that your local clients should ever ever
ever use is your INTERNAL DNS Server(s). There should never never never be
any mention of any outside DNS Server(s).

Why? Because your clients need to be able to find and resolve SRV records.
These are the 'Service Records' in your DNS. They help your clients find
such things as Domain Controllers and Global Catalog Servers - among others.
If they can not resolve these records then there is going to be a lot of fun
things going on......not fun for your user base, fun for you! ;-)

Please take a look at the following MSKB Articles:

http://support.microsoft.com/?id=247811
http://support.microsoft.com/?id=314861

I might rethink your setup and change it immediately. Meaning, change your
DHCP options and remove any mention of any 'external' DNS Server(s).

And you do not need to use the Forwarders tab. The Root Hints are available
as soon as you delete the "." zone in your Forward Lookup Zone in the DNS
MMC ( well, it does take a few minutes for them to become available ). But
that is a long-standing battle in the DNS news group. Do you use the Root
Hints or Forwarders tab? If you do input information in the Forwarders tab
then it is used first and in the event that it is not able to do anything
the Root Hints come into play.

Can not tell you what to do....can only suggest things.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Cary Shultz [A.D. MVP]]

Lara,

just a couple of comments in-line........

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

Hi,


Yes, I do it all the time. Create the Users Domain Accounts as regular
users. After adding the workstation to the Domain go to the Computer
Management - Users and add the Users Domain Account to the local
administrators group on the local workstation. Computer management
can be done remotely once workstation is joined to a domain so you
don't have to be sitting at the machine.

Just as a general piece of advice, I never never never promote adding the
regular domain user account objects to the local computer's Administrator
group. This allows the domain user account object to have access to
everythign and anything. I can tell you war stories about idiots ( and I
specifically used that term ) who deleted all of the files from the
c:\winnt\fonts folder so that they could make more room for the music files
or so that they could add their own fonts ( she did not want to be confussed
as to what fonts she added so she just deleted them all and then added hers
to the fonts folder ). Or how people will install all of this Spyware
crappola ( such as the Time Precision or Hotbar or Weatherbug or..... ). Or
the registry edits that they make! Can not tell you how many computers I
have had to wipe and load because of this ( worked in the Entertainment
Industry so there was no time to really fix things.... ). And of course
very few people will admit to doing anything...."It just started doing
this!" is what I usualy was told.

There are some older ( and newer ) software applications that require that
the user account object being used to install the software has
Administrative privileges during the installation. Bad! I typically use
Filemon and Regmon from http://www.sysinternals.com to find out exactly what
keys and / or directories are causing the problems. Then you can change
that / those.

Generally, this is a really bad idea....especially in a large environment.
I took care of some 300 users - essentially by myself - and you can waste a
lot of time trying to figure out what these knuckleheads have done (
specifically those that will not admit to anything.... ).

Just my stance on this topic....Does not make it right or wrong or yours
right or wrong. I would just simply - behind the scenes - fight tooth and
nail against this. Well, to a point! Power Users would be more acceptable.
But that all depends!

And adding the user account object to the local computer's Administrator
group should have no bearing whatsoever on remote Administration of said
computer account object. This is possible already.......Domain Admins =
local Administrator.....

Actually they are a workstation in the domain, just like NT. A Member
server is actually Windows 2000/03 server joined to the domain but not
as a DC.

Correct! But, I *think* that Brian was talking about the way that a
workstation is added to the domain. It is the same procedure as a Member
Server. And, Brian could also have meant that the userAccountControl value
is 4096......

Check out my website to make sure you setup DNS correctly. Also when
creating the Domain name, it is recommended to use the .local
extension instead of a public one like .com or .net.

While there are many who would support this approach, I am not so sure that
there is a problem using 'yourdomain.com' as your internal namespace as well
as your extrernal name ( the so-called Split Brain configuration ). Just
about everywhere I have worked has had this type of set up. And, if you
use MACs, using the .local extension is supposed to cause a lot of grieve
for the MACs. Not sure as I have never worked in a .local environment where
there were MACs......

 

[Josh Davis]

Hi Cary, I appreciate your insight but found for some reason in
the past that over time my internal dns server got dog slow and
in certain cases was simply unable to resolve webpages from internal
clients, now perhaps I had something configured incorrectly so I shall
review again and give what you suggest a go.

In my orignal DHCP config I handed out DNS servers in order. Two
external and then the local internal one. My thinking was that this
top down aproach would work like this since internal name resolution
was via wins.

1 Client requests web page.
Client looks at its own routing info, hits first external dns,
then second if no response.

Thanks. Josh.

 

[ptwilliams]

I'll jump in with a couple of points if I may...

Firstly, the second (and third, etc.) DNS server is only ever used if the
first cannot be contacted. So, if the first cannot resolve a name it sends
a negative reply and this is used. The second is not then used.

Secondly, WINS is no longer the primary name resolution mechanism. DNS now
is. This means that any client configured with a DNS server will use that
to try and resolve the SRV records. If a negative reply is received, this
is 'used' and cached.

In an NT5.x-based network infrastructure (an AD forest) you **must** use an
internal DNS server that is authorative for the DNS namespace that maps to
the AD domain name. You cannot point to external name servers. 99% of us
need to resolve external names, so this is usually achieved either through
forwarders or a proxy. Yes, an external DNS server is often noticeably
quicker than an internal one, but if this is causing a problem I suggest
implementing a proxy server. You might also find a caching only DNS server
helpful in conjunction with your proxy.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hi Cary, I appreciate your insight but found for some reason in
the past that over time my internal dns server got dog slow and
in certain cases was simply unable to resolve webpages from internal
clients, now perhaps I had something configured incorrectly so I shall
review again and give what you suggest a go.

In my orignal DHCP config I handed out DNS servers in order. Two
external and then the local internal one. My thinking was that this
top down aproach would work like this since internal name resolution
was via wins.

1 Client requests web page.
Client looks at its own routing info, hits first external dns,
then second if no response.

Thanks. Josh.

 

[lforbes]

Hi Cary,

Generally, this is a really bad idea....especially in a large
environment.

Oh yes, I do agree. Actually I have 2000 Users per domain in 2
different domains. I only have 5 who have local administrative Access
(due to politics). They are techs themselves but still I have them run
spyware and updates to antivirus. Their machines are patched nightly
with WUS and I have two firewalls (one hardware and one ISA) that
block all ports but 80.

I have gotten pretty much every program to run under a regular user,
even AutoCad which Autodesk said "couldn’t be done".

I am not so sure that there is a problem using
’yourdomain.com’ as your internal namespace as well

Oh, I am =) I have done some troubleshooting of serious problems of
domains setup with the .com extension (had to do complete reinstall on
all). Most of the time it was that they actually didn’t own the URL
and therefore their dns was conflicting with external DNS’. Microsoft
recommends using the .local extension. It is of course possible to
setup a working internal and external DNS with the public extension.
However, you do need to know your DNS inside and out to make sure it
is setup correctly and secure. What I have found is that most don’t
and just do it anyway. Not sure what the issue is with the Mac’s I
run about 100 Mac’s in my Domain from 7.5 to OSX with no problems.

Cheers,

Lara

 

[lforbes]

Hi,

Hi Cary, I appreciate your insight but found for some reason in
the past that over time my internal dns server got dog slow and
in certain cases was simply unable to resolve webpages from internal
clients, now perhaps I had something configured incorrectly so I shall

review again and give what you suggest a go

I have to agree with Cary on the DNS issue. Your DNS server should be
the only one that is in your Clients Primary DNS tab otherwise it will
pretty much kill any Group Policies etc.. I am not sure whether you
have a firewall or proxy server setup? The nice thing about that is
you can just point to it for Internet and don’t need forwarders on
your DNS if you don’t want to.

Cheers,

Lara

 

[lforbes]

Hi,

Hi Cary, I appreciate your insight but found for some reason in
the past that over time my internal dns server got dog slow and
in certain cases was simply unable to resolve webpages from internal
clients, now perhaps I had something configured incorrectly so I shall

review again and give what you suggest a go

I have to agree with Cary on the DNS issue. Your DNS server should be
the only one that is in your Clients Primary DNS tab otherwise it will
pretty much kill any Group Policies etc.. I am not sure whether you
have a firewall or proxy server setup? The nice thing about that is
you can just point to it for Internet and don’t need forwarders on
your DNS if you don’t want to.

Cheers,

Lara