Same Local & Domain Name: Access Rights

If an XP workstation is joined to a Domain, and the user name previously defined in the workstation (locally) is also defined in the Domain, what determines the user's permissions on the workstation resources?
scptechAsked:
Who is Participating?
 
glebnConnect With a Mentor Commented:
Local users are not recognized at the domain level and therefore have no access to domain level resources. For example, if your domain is named "Domain" and your workstation is named "Workstation" then when you are logged on to the workstation as "Workstation\User" you will be prompted for a password when trying to add, for example, a user named "Domain\User" to a Workstation security group. At the domain level, you will not be able to add the user "Workstation\User" to any domain level groups or ACLs.

However, if you have two users with identical names and passwords at both the workstation and domain level (e.g. "Domain\User" and "Workstation\User") then in some cases it may be possible to logon to the workstation using the local account "Workstation\User" and gain access to some domain level resources available to "Domain\User" without entering a password. This might be a source of confusion.

The direct answer to your question is that the object's access control list (ACL) determines access to the object. To see to the ACL for most objects right-click on the object, select properties, and then click the Security tab. The ACL will list both local and domain accounts that have access to the object.

Lastly, I manange a large network and we do give users Local Administrator rights to their own computers using their domain account -- users don't have a local account. It is their domain account that give them access to everything on their local workstation. However, you won't see any domain users names in ACLs, all you'll see on local ACL's is the local "Administrators (Workstation\Administrators)" group has access to the resources. However, if you look at the membership for the "Workstation\Administrators" group you'll see the user's domain account "Domain\User" listed. Hence it is the presence of the local admin account in the ACL which gives the domain user access to the local object BECAUSE the domain user's account is a member of the local administrator's group.

0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Whether the user is logged in locally or to the domain.  Windows doesn't do things by name, it does it by SIDs and GUIDs.  The names are a bit like DNS names and the SIDs and GUIDs are a bit like IP Addresses.  Where the Directory Service is the DNS for these.
0
 
scptechAuthor Commented:
Thanks leew.

I logged into a domain from a workstation with user id 'frontoffice' which was defnied on the domain (so it has some GUID in AD) and not defined on the workstation.
I was unable to access most of the local resources on the workstation. (Access denied).

Next, I logged into the workstation (not Domain) as an administrator and created the same user Id (frontoffice) on the workstation with admin rights. So now there is a SID for that Id on the workstation.

Last, I logged into the Domain with user id 'frontoffice' from the same workstation, and I had full access to local resources.

Can you help explain this?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
xrokCommented:
You need log in as domain administrator
Add frontoffice domain user to local account.
This is easy fix


0
 
scptechAuthor Commented:
Thank you xrok. I am not looking for any fix - I am looking for an intelligent explanation of concepts.

So here is the question, phrased a little more clearly:
   
           When logging into a domain from a workstation, exactly what determines the permissions to the local workstation's resources, such as various folders?

0
 
xrokCommented:
I will do my best to answer your q:
>>I logged into a domain from a workstation with user id 'frontoffice' which was defnied on the domain (so it has some GUID in AD) and not defined on the workstation.
>>I was unable to access most of the local resources on the workstation. (Access denied).
>>Next, I logged into the workstation (not Domain) as an administrator and created the same user Id (frontoffice) on the workstation with admin rights. So now there >>is a SID for that Id on the workstation.

At this time, User (frontoffice) was added with admin rights as workstation or Domain??

>>Last, I logged into the Domain with user id 'frontoffice' from the same workstation, and I had full access to local resources.

Once you join domain, even you are logged into the workstation (not Domain) as an administrator , you are now adding domain user.( I don't think you can add local user anymore)
Therefore User (frontoffice) has full admin right on that workstation.

Local Workstation resouce is depend on GUIDs and SIDs
0
 
ccomleyCommented:
One thing you may not be clear on.

When you join a computer to a domain, and then log in to the computer as a domain user, the system does NOT see this as the same "user" as you were before. The non-domain user continues to exist as a separate "user" on the workstation, with its own files, rights, permissions, etc. and you can log in to this user ID by changing the domain login screen so you log in as "fred" on "local-machine-name" instead of "fred" on "domain.com".

That's not to say that there arn't ways to copy, clone or move the files (etc) of a "local" user to the new "domain" user if that's what you want to achieve.

To get a clear picture of what's going on, look in two places.

1)  Windows Explorer, open the "c:\Documents and Settings" folder and you'll see a subfolder for each user who's ever logged in to the machine. By default the folder name is the same as the user name but where you get replicated usernames, the second folder will have the domain suffixed, so if you logged in as Fred locally before and now you log in as Fred at Domain.com, you'll find subfolders in there called "fred" and "fred.domain". The creation dates are clues. :)

2) In Control Panel under User admin you'll see a list of local users. Often the easiest thing to do in a small network is add the *domain* user to this list and make him an administrator of his own workstation. Then you'll see both "Fred - ThisMachine" and "Fred - Domain.com" in that list. (Note - in larger and more activly "managed" networks you won't find the sysadmins letting the users be admin of their own workstation!)

0
 
scptechAuthor Commented:
Unfortunately none of the answers explains the question: When logging into a domain from a workstation, exactly what determines the permissions to the local workstation's resources, such as various folders?

So if you were sitting on my workstation for the first time and log into the domain somedomain.com, and then try to access a folder on the local workstastion (say C:\secretfolder) , will you have write access to that local folder? What would determine your level of permissions to this local workstation resource?

ccompley - the 2nd part of your explanation does not match my findings: I am currently at work (on a very large network),  logged into a domain with user Id jsmith.
I have local admin rights to my XP Professional workstation. Under the "c:\Documents and Settings" folder I have a subfolder named jsmith (my domain login Id), but no other subfolder like jsmith-domain.com.


0
 
scptechAuthor Commented:
xrok: To your point: "Once you join domain, even you are logged into the workstation (not Domain) as an administrator , you are now adding domain user.( I don't think you can add local user anymore) Therefore User (frontoffice) has full admin right on that workstation"

This cannot be true: otherwise anyone with administrative rights to a workstation will be able to log into a workstation and add domain users just because the workstation has been joined to a domain.

0
 
luv2smileConnect With a Mentor Commented:
"(say C:\secretfolder) , will you have write access to that local folder? What would determine your level of permissions to this local workstation resource?"

The access rights set on that specific folder will determine who has access and what type of access they have for that folder. Individual folder access rights are determined by the NTFS permissions (security tab) on each folder.  Often times these folders inherit permissions of parent folders unless you specifically change them.
0
 
luv2smileCommented:
"I have local admin rights to my XP Professional workstation. Under the "c:\Documents and Settings" folder I have a subfolder named jsmith (my domain login Id), but no other subfolder like jsmith-domain.com."

Then that just means that you didn't have a local account with the same name before you logged into the domain for the first time. If you would have had the same account name as a local account when you first logged into the domain then it would have created an account called user.domain.   Its no big deal if you don't have one.

0
 
luv2smileCommented:
"otherwise anyone with administrative rights to a workstation will be able to log into a workstation and add domain users just because the workstation has been joined to a domain."

Well this is a true....if you have local admin rights on a machine then you can add any of the domain users into the local admin group or any other local group on that computer.
0
 
xrokConnect With a Mentor Commented:
>>This cannot be true: otherwise anyone with administrative rights to a workstation will be able to log into a workstation and add domain users just because the >>workstation has been joined to a domain.

Local Administrator can add domain users to local workstation (Only to workstation he has admin rights).
Even Domain user can do the same (if they have access to admin password)



0
All Courses

From novice to tech pro — start learning today.