"join a domain" or not

  • Thread starter Thread starter jmarra
  • Start date Start date
J

jmarra

I didn't see any posting protocols, so I apologize if I'm bypassing
some rules.

I am getting ready to set up a XPPro SP2 laptop with remote access to
my company's server (Windows Server 2003). I'm not sure of the best
way to accomplish this, but I do know of 2 options that seem to work
well. I've tested both successfully, however, since I am a user and
not an admin, I am not knowledgable enough to evaluate the pros and
cons of the two approaches. Can someone help me understand the
trade-offs?
Opt 1) Leave the laptop as a member of a workgroup. Sign-in to machine
with a local account. Use a VPN connection to establish connection to
work.
Opt 2) Change the laptop to be a member of the company domain. Add the
domain user to the laptop. Sign in as this user (even when not
connected directly to company domain). Use a VPN connection to
establish connection to work.

I've found the following benefits with option 2:
* My login scripts ran from the server and mapped some drives for me
(as opposed to initially mapping the drives manually in option 1). Not
a biggy to me.
* I could walk into work, plug in an ethernet cable, and be directly
connected to the domain without using VPN.

Other than the above, no differences have really jumped out at me.
From what I've read, it seems like I could be missing out on some
Click to expand...
group-policy domain stuff, but this is not used much (if at all) by the
company (for better or worse). It should be noted that this laptop
will rarely connect directly to the network (almost always in a remote
location using VPN). This makes the second benefit above kind of
small.

I'm inclined to stick with option 1 since it seems to remove a layer of
complexity, and will maybe let me interact with my home network more
easily (if I ever choose to do that). Any insights? Other options I
should be exploring? Reasons for going with option 2?

Thanks very much.
 
I didn't see any posting protocols, so I apologize if I'm bypassing
some rules.

I am getting ready to set up a XPPro SP2 laptop with remote access to
my company's server (Windows Server 2003). I'm not sure of the best
way to accomplish this, but I do know of 2 options that seem to work
well. I've tested both successfully, however, since I am a user and
not an admin, I am not knowledgable enough to evaluate the pros and
cons of the two approaches. Can someone help me understand the
trade-offs?
Opt 1) Leave the laptop as a member of a workgroup. Sign-in to machine
with a local account. Use a VPN connection to establish connection to
work.
Opt 2) Change the laptop to be a member of the company domain. Add the
domain user to the laptop. Sign in as this user (even when not
connected directly to company domain). Use a VPN connection to
establish connection to work.

I've found the following benefits with option 2:
* My login scripts ran from the server and mapped some drives for me
(as opposed to initially mapping the drives manually in option 1). Not
a biggy to me.
* I could walk into work, plug in an ethernet cable, and be directly
connected to the domain without using VPN.

Other than the above, no differences have really jumped out at me.
group-policy domain stuff, but this is not used much (if at all) by the
company (for better or worse). It should be noted that this laptop
will rarely connect directly to the network (almost always in a remote
location using VPN). This makes the second benefit above kind of
small.

I'm inclined to stick with option 1 since it seems to remove a layer of
complexity, and will maybe let me interact with my home network more
easily (if I ever choose to do that). Any insights? Other options I
should be exploring? Reasons for going with option 2?

Thanks very much.
Click to expand...

The differences between domain and workgroup membership will vary, according to
installation, and to domain (organisational) policy. Since it's a Server 2003
domain, I'd bet there are some domain policies which may be relevant to you,
even if you don't know about them. Also, what resources do you need to access?
Are there local accounts on each server, in addition to domain permissions, to
let you access everything as a workgroup member?

Generally, when AD is implemented, local server accounts are not provided as
granularly as without AD. An AD infrastructure requires a lot of work to
develop and to maintain, and most organisations won't spend time on local access
maintenance, if they have AD.

Have you asked your IT group for recommendations? If they have Server 2003 with
Active Directory setup, I'd bet there are various Group Policies in place which
make the network safer. It's probably to the benefit of your employer (and to
your benefit) to use AD as much as possible.
 
Since your company uses an AD domain, they may have certain policies that
restrict access to certain resources, whether web based or local network
based. The company does have LEGAL liabilities and responsibilities
regarding your access to their network , thus making your computer used to
access their network(even if owned by yourself) open to inspection by them.
There ARE laws regarding this issue, and they favor the company ALWAYS.

Due to these legalities, I would join the domain immediately, even though
this will reduce access to many features on your computer, or, ask the
company to get a laptop for you that IS owned by the company for company
network access and NEVER connect using your own.

Option is of course yours, but I NEVER connect to my companies VPN with a
computer that I own. That is my property until I connect to the company
network and then it becomes theirs.
Just my .02
TW
 
Thanks very much for the replies.

In hopes that I'll learn a little more, what if we assume the
following:
a) The company/IT department is fine with either option
b) Expected usage is to simply access files on the server and maybe
webserver (both of which I tested with originally to ensure that either
option worked)

All that said, is one option performing the network gymnastics quicker
than the other option? That is, is logging into the domain and then
VPN'ing moving traffic faster than a local user VPN'ing?

Thanks again for your thoughts.
 
If you are Vending into your company then there is only the overhead of the
domain on logon and the applying of logon scripts. You probably already see
the latency
 
Thanks very much for the replies.

In hopes that I'll learn a little more, what if we assume the
following:
a) The company/IT department is fine with either option
b) Expected usage is to simply access files on the server and maybe
webserver (both of which I tested with originally to ensure that either
option worked)

All that said, is one option performing the network gymnastics quicker
than the other option? That is, is logging into the domain and then
VPN'ing moving traffic faster than a local user VPN'ing?

Thanks again for your thoughts.
Click to expand...

Assuming that you can setup a domain or workgroup client, with equivalent
authentication, accessing network resources will probably be the same.

I, personally, would use domain authentication, for convenience if nothing else.
Changing your password in a workgroup setup requires changing it on each client
and server individually. And I believe in changing my password regularly.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

VPN server without domain controller 0
Cross domain map network drive across VPN 2
VPN Connetivity 1
Cannot create VPN connection on a domain member 6
Accessing share with user already tried 2
Joining domain over VPN 2
Wifi Network Issue 0
How to remove/delete old domain (name) from XP professional 1

Back
Top