Solved

faking domain member with win2k and NT4 server

Posted on 2000-03-15
13
191 Views
Last Modified: 2010-04-13
Is there any way I can make Windows NT4 server think I'm on the domain with a Windows 2000 workstation?  I can't add a computer account because I'm not the administrator.

The main problem is that the security settings on the NT4 server must be set to high.  I could access all the shares just fine with Windows 98, but now with Win2k, I can't.
0
Comment
Question by:tadams
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 2619248
If you put the workgroup name the same as the domain and log in using the same username and password as you have on the domain, you should get the same rights.

But why can't you just ask an administrator to add your computer to the domain?
0
 
LVL 32

Expert Comment

by:jhance
ID: 2619353
>If you put the workgroup name the same
>as the domain and log in using the
>same username and password as you have
>on the domain, you should get the same
>rights.


Hah!  This is wishful thinking and not the way NT Domain trust relationships work!  There is NO relationship between the WORKGROUP name and DOMAIN membership.  As an administrator of an NT Workstation you can set the workgroup to anything you want but this has NO EFFECT on the NT DOMAIN, of the same or any other name.

If you are participating in the DOMAIN, you need to have your computer added to the domain OR you will need to have your NT Server administrator setup the shares you need to use with individual account permissions so you can access them.  Believe it or not, there is a difference between your NT workstation account and your NT domain account even if the names/passwords are the same.

For example, let's say you are user "tadams".  On your NT workstation, you are just "tadams" or fully qualified, ".\tadams".  The account is LOCAL to the NT workstation and has NO DOMAIN RIGHTS.  If you logon to DOMAIN "EXPERT", you are now, "EXPERT\tadams".  This account has a specific set of privileges which are granted by the NT server for the domain and all of it's members.

The problem with share on an NT Server is that they may be shared ONLY to "EXPERT\xxx" users and you as a non-domain login have no rights to them.  

Note that the shares on the NT Server CAN BE configured to permit access my non-domain login users but your NT Administrator SHOULD BE reluctant to do this.  It's a security risk.


Back to your original question.  No, there is no way to "trick" NT Server into thinking you are a domain member when you are not.  This is the "heart" of NT Domain security and if it were easy to circumvent, NT security would be a joke.  On a PROPERLY configured NT Server, this is a very difficult situation to hack.
0
 
LVL 32

Expert Comment

by:jhance
ID: 2619357
By the way.  One last point.  The reason Win98 worked is because both it and Win95 don't participate in the NT Domains the way NT and W2K clients do.  They use a half-baked security scheme but don't share a trust relationship with the NT Server.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 2619648
Reason I suggested that is I have a domain at home and of course one at work and have a notebook.  Further, this notebook multi-boots with NT and 2000.  So I can't have the same name on each OS a be a member of the domain.  I don't recall having any connection issues as long as I use the same account name and password I use on the domain, and, come to think of it, I don't care about the workgroup name.
0
 
LVL 32

Expert Comment

by:jhance
ID: 2619848
leew,

Just to be clear.  It is possible to seutp your NT Server in this way but it's not usually done in "real" setups.  It's convenient for private use like yours but on a company network where security is a vital concern and you just don't know who is hooking up, this is a serious issue.  Usually, only domain login account will be given access to shared network drives.  Sometime everyone will be given access to printer queues but even this is uncommon in my experience.
0
 
LVL 1

Author Comment

by:tadams
ID: 2620623
I haven't gotten any new information yet.  I know that local accounts are different from domain accounts, and everything else that was said.

There are two buildings that I go to school on campus.  One I need to access a computer called student23, and the other is student42.  I can access student23 just fine doing as leew suggested, and I have been doing that for awhile.  However, the student42 server must have a little bit more security that than student23.

And for the reason I can't ask the administrators to add me to the domain is because there are thousands of students, and if the administrators had to do it for everyone, they would get bogged down.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:jhance
ID: 2620671
Just because you don't like the answer doesn't make it any less correct.

There is no getting around this issue without the cooperation of the domain administrator.
0
 

Expert Comment

by:ScottW
ID: 2621283
Sorry but jhance is correct.  You will need a Domain Admin to give your account permissions on the second server.  Just because you can access one server without a problem does not make it so for all servers.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 2621328
I see what you're saying - I take for granted share level permissions (we just set the file permissions and leave the shares open to everyone, thus relying on NTFS permissions.
0
 
LVL 1

Author Comment

by:tadams
ID: 2621833
I'm not going to give the points until I decide on whether it can be done or not.  If I find a solution, then no one will get the points.  If I can't find any other solution, then jhance will get the points.
0
 
LVL 32

Accepted Solution

by:
jhance earned 100 total points
ID: 2621857
If that's your stinkin' attitude, keep your points.  I certainly don't need them....  Good luck in your quest.
0
 
LVL 1

Author Comment

by:tadams
ID: 2622392
Attitude?  What the heck are you talking about?  I haven't got any attitued.  I simply said that if I can figure out a way to do it, then your answer would not be correct!  Hence you shouldn't get the points.  On the other hand, if I can't figure out a way of doing it, then you will get the points.

wtf is wrong with that?
0
 
LVL 1

Author Comment

by:tadams
ID: 2670662
I am giving you your points for your previous answer.  I have been unable to find another solution!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A procedure for exporting installed hotfix details of remote computers using powershell
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now