Mobile users/diff. domains-is this possible???

[Fran]

I have 4 mobile users that travel from office to office. Each office
has a LAN/Domain (but they're otherwise not connected)

When the mobile user (A VP in this case) goes to office A (Domain-A)
he needs to join the domain and authenticate. When he goes to office B
(Domain-B) he needs to be able to join THAT domain.

All of these are Windows 2000 domains but they are not part of a
larger, connected forest. (not yet, anyway)

Is it possible to set up an account on each domain so he can join when
he logs in?

Fran

 

[Herb Martin]

I have 4 mobile users that travel from office to office. Each office
has a LAN/Domain (but they're otherwise not connected)

When the mobile user (A VP in this case) goes to office A (Domain-A)
he needs to join the domain and authenticate. When he goes to office B
(Domain-B) he needs to be able to join THAT domain.

This never works perfectly.

Each time he leaves a domain, his account is lost
and must be recreated in the other domain (or at
least reset but I haven't tested that) -- admins
generally must get involved.

All of these are Windows 2000 domains but they are not part of a
larger, connected forest. (not yet, anyway)

It wouldn't matter unless there were a functioning
trust.

Is it possible to set up an account on each domain so he can join when
he logs in?

Yes. But you are giving the user (some) admin
privileges -- you can delegate joining computers to
the domain in AD User/Computers (right click Delegation
wizard) but then you must teach the user to do this,
provide tools (like AD Users/Computers ) etc.
(A batch file probably makes more sense.)

But consider this: Do you really need the user's computer
in the "other" domain, or does the user merely need to
access domain resources?

Either way you must create two user accounts for each
user so why not just leave the computer in domain 1,
log the user on in domain 1 (cached credentials), and
then have the user EXPLICITLY authenticate for
access to resources in domain 2?

This is not a perfect solution, at best it requires user
education (but far less than teaching the user to change
machine domains), and perhaps will not work (easily)
for some unusual resources....it works great and this
is the way professional consultants (who move from
company to company) have been doing it for years.

E.g.,

net use * \\ServerInDomain2\share * /useromain2\UserDomain2

 

[Fran]

I guess that will have to do. I suppose I can set up some type of
scripting on the other servers to reconnect non-persistent shared
drives on the other LAN's.

Thanks for the explanations, too.

-Fran-

 

[Herb Martin]

I guess that will have to do. I suppose I can set up some type of
scripting on the other servers to reconnect non-persistent shared
drives on the other LAN's.

That's what I do.

net use Q: \\Server\share * /user:OtherDomain\OtherUserAccount

The * asks for the password from the live user.

Thanks for the explanations, too.

 

[Bruce Sanderson]

You can also use:

net use \\server\IPC$ * /user:domain\otheruseraccount

This causes an authentication on the target server. After that, the user
can connect to shares, including printer shares on that server. This is
really useful for people using non-domain computers that have domain user
accounts (e.g. contractors).

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.