tadams
asked on
faking domain member with win2k and NT4 server
Is there any way I can make Windows NT4 server think I'm on the domain with a Windows 2000 workstation? I can't add a computer account because I'm not the administrator.
The main problem is that the security settings on the NT4 server must be set to high. I could access all the shares just fine with Windows 98, but now with Win2k, I can't.
The main problem is that the security settings on the NT4 server must be set to high. I could access all the shares just fine with Windows 98, but now with Win2k, I can't.
>If you put the workgroup name the same
>as the domain and log in using the
>same username and password as you have
>on the domain, you should get the same
>rights.
Hah! This is wishful thinking and not the way NT Domain trust relationships work! There is NO relationship between the WORKGROUP name and DOMAIN membership. As an administrator of an NT Workstation you can set the workgroup to anything you want but this has NO EFFECT on the NT DOMAIN, of the same or any other name.
If you are participating in the DOMAIN, you need to have your computer added to the domain OR you will need to have your NT Server administrator setup the shares you need to use with individual account permissions so you can access them. Believe it or not, there is a difference between your NT workstation account and your NT domain account even if the names/passwords are the same.
For example, let's say you are user "tadams". On your NT workstation, you are just "tadams" or fully qualified, ".\tadams". The account is LOCAL to the NT workstation and has NO DOMAIN RIGHTS. If you logon to DOMAIN "EXPERT", you are now, "EXPERT\tadams". This account has a specific set of privileges which are granted by the NT server for the domain and all of it's members.
The problem with share on an NT Server is that they may be shared ONLY to "EXPERT\xxx" users and you as a non-domain login have no rights to them.
Note that the shares on the NT Server CAN BE configured to permit access my non-domain login users but your NT Administrator SHOULD BE reluctant to do this. It's a security risk.
Back to your original question. No, there is no way to "trick" NT Server into thinking you are a domain member when you are not. This is the "heart" of NT Domain security and if it were easy to circumvent, NT security would be a joke. On a PROPERLY configured NT Server, this is a very difficult situation to hack.
>as the domain and log in using the
>same username and password as you have
>on the domain, you should get the same
>rights.
Hah! This is wishful thinking and not the way NT Domain trust relationships work! There is NO relationship between the WORKGROUP name and DOMAIN membership. As an administrator of an NT Workstation you can set the workgroup to anything you want but this has NO EFFECT on the NT DOMAIN, of the same or any other name.
If you are participating in the DOMAIN, you need to have your computer added to the domain OR you will need to have your NT Server administrator setup the shares you need to use with individual account permissions so you can access them. Believe it or not, there is a difference between your NT workstation account and your NT domain account even if the names/passwords are the same.
For example, let's say you are user "tadams". On your NT workstation, you are just "tadams" or fully qualified, ".\tadams". The account is LOCAL to the NT workstation and has NO DOMAIN RIGHTS. If you logon to DOMAIN "EXPERT", you are now, "EXPERT\tadams". This account has a specific set of privileges which are granted by the NT server for the domain and all of it's members.
The problem with share on an NT Server is that they may be shared ONLY to "EXPERT\xxx" users and you as a non-domain login have no rights to them.
Note that the shares on the NT Server CAN BE configured to permit access my non-domain login users but your NT Administrator SHOULD BE reluctant to do this. It's a security risk.
Back to your original question. No, there is no way to "trick" NT Server into thinking you are a domain member when you are not. This is the "heart" of NT Domain security and if it were easy to circumvent, NT security would be a joke. On a PROPERLY configured NT Server, this is a very difficult situation to hack.
By the way. One last point. The reason Win98 worked is because both it and Win95 don't participate in the NT Domains the way NT and W2K clients do. They use a half-baked security scheme but don't share a trust relationship with the NT Server.
Reason I suggested that is I have a domain at home and of course one at work and have a notebook. Further, this notebook multi-boots with NT and 2000. So I can't have the same name on each OS a be a member of the domain. I don't recall having any connection issues as long as I use the same account name and password I use on the domain, and, come to think of it, I don't care about the workgroup name.
leew,
Just to be clear. It is possible to seutp your NT Server in this way but it's not usually done in "real" setups. It's convenient for private use like yours but on a company network where security is a vital concern and you just don't know who is hooking up, this is a serious issue. Usually, only domain login account will be given access to shared network drives. Sometime everyone will be given access to printer queues but even this is uncommon in my experience.
Just to be clear. It is possible to seutp your NT Server in this way but it's not usually done in "real" setups. It's convenient for private use like yours but on a company network where security is a vital concern and you just don't know who is hooking up, this is a serious issue. Usually, only domain login account will be given access to shared network drives. Sometime everyone will be given access to printer queues but even this is uncommon in my experience.
ASKER
I haven't gotten any new information yet. I know that local accounts are different from domain accounts, and everything else that was said.
There are two buildings that I go to school on campus. One I need to access a computer called student23, and the other is student42. I can access student23 just fine doing as leew suggested, and I have been doing that for awhile. However, the student42 server must have a little bit more security that than student23.
And for the reason I can't ask the administrators to add me to the domain is because there are thousands of students, and if the administrators had to do it for everyone, they would get bogged down.
There are two buildings that I go to school on campus. One I need to access a computer called student23, and the other is student42. I can access student23 just fine doing as leew suggested, and I have been doing that for awhile. However, the student42 server must have a little bit more security that than student23.
And for the reason I can't ask the administrators to add me to the domain is because there are thousands of students, and if the administrators had to do it for everyone, they would get bogged down.
Just because you don't like the answer doesn't make it any less correct.
There is no getting around this issue without the cooperation of the domain administrator.
There is no getting around this issue without the cooperation of the domain administrator.
Sorry but jhance is correct. You will need a Domain Admin to give your account permissions on the second server. Just because you can access one server without a problem does not make it so for all servers.
I see what you're saying - I take for granted share level permissions (we just set the file permissions and leave the shares open to everyone, thus relying on NTFS permissions.
ASKER
I'm not going to give the points until I decide on whether it can be done or not. If I find a solution, then no one will get the points. If I can't find any other solution, then jhance will get the points.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Attitude? What the heck are you talking about? I haven't got any attitued. I simply said that if I can figure out a way to do it, then your answer would not be correct! Hence you shouldn't get the points. On the other hand, if I can't figure out a way of doing it, then you will get the points.
wtf is wrong with that?
wtf is wrong with that?
ASKER
I am giving you your points for your previous answer. I have been unable to find another solution!
But why can't you just ask an administrator to add your computer to the domain?