Link to home
Start Free TrialLog in
Avatar of edbuck
edbuck

asked on

The usual workgroup/domain access questions, but with a user profile twist

Hi all,

I use a laptop running XP Pro in several environments (work, university, home). Work uses a domain, University uses either a domain or a workgroup depending on the location, and home uses a workgroup.

The domain environments are typical (network printers, servers, computers). The workgroup environments are likewise typical and have shared shared folders and printers. Occasionally, the workgroup will also support a print server. Consequently, I need to join both workgroups and domains as I move about. How to do this is a basic question I see all over this site.

My wrinkle is that I need to be able to use the *same* user profile in all these seperate environments. My professional duties require that I access the tools stored in my primary (work) user profile when I'm away from the office.

As usual, if I leave my domain to join a workgroup, then I'm able to continue working with the current desktop until I reboot, then I'm dropped into a different profile and cannot reaccess my work files. I know I can just keep the computer 'joined' to the domain while I'm away, but then I cannot access any of the workgroup files or printers.

On a personal note, it seems incredulous to me that Windows does not allow a single user profile to move between domains and workgroups in a more user friendly manner. I understand the argument that once you leave a domain you need to rejoin that domain before you can access resources on that domain, but I should still be able to access the same profile space on my laptop regardless of how I log in.

I hope I've been clear with this. And thanks in advance for the help!
 
ASKER CERTIFIED SOLUTION
Avatar of Fatal_Exception
Fatal_Exception
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
BTW:  Windows does not allow moving between domains though...  You can only authenticate to one domain at a time...
Avatar of edbuck
edbuck

ASKER

Thanks for the response.  I'll try the command line/DOS (sic) script approach to address my workgroup issues for spaces where I have access to the details.  I assume that the '\\path' term will also work for the print servers?

However, having to script a batch file for every different workgroup environment seems awkward at best, especially for those who cannot remember the days of the command line. (My earlier gripe was that the OS doesn't just support this within the GUI since there must be a lot of workers who use laptops. Surely, MS doesn't expect everyone to be able to write scripts?)

Ok, that being said, I'm more interested in the profile issue since this directly affects the usefullness of the laptop in doing my job performance.

Is there some way to force a single, dedicated profile for logins into different domains? I believe that when I leave domain A for domain B, I'll get a new profile when I log back on. I understand your BTW about authenticating into only one domain at a time. This is not an issue for me... I just need the same profile everywhere.

Alternatively, is there a way synchrionize two profiles? This way any changes I make in one gets reflected to the other, which results in it looking like there's only one profile when there are in fact two.

Thanks again!
If your Computer Browser Service is turned on, and if you are using NETBios over TCP/IP (Advanced Properties window) is set up, then you should be able to search for any computers that are on the LAN using the Network Browser (My Network Places)...  You will still have to authenticate to the computer and the shares which you wish to connect to though.  My preferred method is just to use the Run Line, as long as you know the IP address of FQDN of the computer.  To connect, make sure that the computer you are connecting to has the firewall turned off first.

As long as your computer has the Work Offline feature enabled in your profile Group Policy, you really don't ever need another profile to load.  For instance, on my laptop, I only connect to my domain once every two weeks or so just to backup (synchronize) my important files.  Otherwise, I use the local profile for everything I do, including plugging into my client's domains/workgroups, etc....  Since my laptop is configured to only use the local profile (not Roaming Profiles), it never changes....   In fact, the only time I log in locally is to make administrative changes to the computer...

FE
Avatar of edbuck

ASKER


This is getting better...

Let me understand this.. Disabling Roaming Profiles defaults you to local profile regardless of how you log on? (Probably not, eh?)

To continue, always logging onto the local machine (eg, laptop) rather than onto a domain or workgroup will, by default, load a single, local profile. I can then join a domain or workgroup from within that profile via the usual methods (My computer/ Identification). How is the 'new profile' issue handled when you execut the commensurate reboot in this model? In addition, I expect that any logon scripts within the domain do not execute without the reboot. (Not the end of the world given the potential benefits.) Finally, are there any problems associated with getting back to your local domain once you've joined a (remote) domain? For example, must you disjoin from the remote domain while still connected to it?

Correct my thinking please... Once I understand what I'm doing, I'll give everything a try. Does everything hinge on the Roaming Profile adjustment?

Thanks for the assistance!

EB

This can get a little complicated for the user not accustomed to how Domains and Roaming profiles work.  Basically there are three types of profiles:  Roaming, Mandatory, and Local.  As a Domain Administrator, I can set the domain up for any of the three using Active Directory on my Domain Controller.  In an environment like the one you wish to use, I would configure your User Properties in ADUC (on the DC) to use your Local Profile only.  Logon Scripts will still run when you log into the domain, regardless of the type of profile you are using.

Now, joining a different domain presents a whole new set of problems.  Therefore the reason you cannot join multiple domains at once.  Again, I would advise you to configure your system to join only one domain, then if you need access to another domain, you could have some batch files that allow you access to the specific domain resources you may need to reach, including printers.  And I would advise you to forget about 'joining' a workgroup, as these resources can also be reached while still joined to your original domain.

Finally, I would speak to your Network Administrator regarding these issues as they should be able to help you understand exactly the steps required for making any adjustment outside the domain.

I hope this all is making a more than a little sense as I type this.  It is much like everything else in this world.  Without the a good grounding in how networks, especially W2K/3, work, it can be a little daunting.

FE
Avatar of edbuck

ASKER


Unfortunately, there is no Network Admin at work to ask, which is why I'm here. (Don't ask. It's too complicated to explain.) I'm the guy maintaining the network now.

Nevertheless, I understand Domains and Profiles somewhat. At work we have a single domain. All users log on from a local profile. Logging on launches a server based, user specific script which assigns various network resources to that user. We do not use roaming or mandatory profiles in any way. This means, of course, that I've always used local profiles exclusively. Besides, a roaming profile would be useless once I leave the domain space.

Which brings me back to my fundamental problem. Let's call the work domain Domain W and let's call a lab domain Domain L. When I visit a lab, and if I need to access Domain L, I boot my laptop to Domain W (which fails because the proper DC is absent) and then join Domain L. The important step is to not reboot the machine when it requests so following the domain change. This way I get to use my primary profile (the one from Domain W) with all it's tools, but can access the printers and computers on Domain L through the Network Neighborhood.

Unforunately, once I do this I cannot get back into the Domain W profile until I get back to work, which is hell if I need to visit two labs in one day! To address this I've taken to copying the Domain W profile to the new domain profile as I move about. However, it's an ugly process requiring me to first log onto the new domain to create a profile, then log off and log onto my laptop as an admin, copy the Domain W profile into the new profile, log off admin, and finally log back on to the new domain which will now have the Domain W profile and tools present.

So, is there a better way to do this? All I want is one profile that works everywhere.

On another note, did you suggest in your last response that I can access the resources on Domain L without actually joining that domain? This strikes me as a serious security vulnerability.

Finally, I want to thank you, FE, for your help to date. In addition to addressing a serious problem at work (I'm not the only one using a laptop), I'm enjoying the exchange with you since I don't generally have anyone to talk with about this stuff.

Regards.

Avatar of edbuck

ASKER

BTW: What about the Work Offline feature you spoke of earlier? Is this a key for me? (I missed this before...)
Okay.  The situation is much clearer now.  And yes, you are taking steps are the normal user never has to dream about, and on top of that, it is an adminstrative nightmare.  (And with IT budgets being so slim these days, I also understand the situation within your company.  Sure do wish it were the 90's again, eh?..:)

You simply cannot configure a system to use the same profile in different domains.  And since you are not using Roaming Profiles, and only Local ones, I assume that is the one you log into when you are unattached to the Domain (being the same profile).  When you logon with that profile at the lab, it cannot authenticate, so it loads that Local Profile regardless, but it is what I call the Work Offline mode.  This is allowed since it has it as part of the Group Policy that it acquired when you last logged into the Domain.  

Now, just because you are a member of a different domain does not mean that you cannot use resources on the lab domain.  I assume you already have permissions on the lab domain, since you can join it.  If so, you can just use those batch commands above to authenticate to whatever shares you need to access, as long as you use the username and password of your account at the lab.  You can even map a printershare with the Net Use command.  There is also the netsh commands, but I think that Net Use would be easier to use in this situation.  

I will give this some more thought tonight, as I have never been in quite this situation.  Perhaps after a good night's sleep, eh?  

FE
Avatar of edbuck

ASKER

I've incorporated the learning acquired in the preceeding discussion and have fashioned a workable solution for myself. Therefore. I'll accept the the thread.

Thanks for the help!
Hmm.. forgot all about this thread and sorry I did not get back in with more details..  But thanks for the update, and closing it out in such a timely fashion.

BTW:  you are very welcome..  and good luck with your laptops..!!  

FE