I have what used to be a very simple network. Basically, we had 7 PCs running a mix of XP Home and XP Professional, and 2 Windows-based servers. One server was an application server and the other was a file server.

We had a pretty vanilla set-up. All PCs, servers and users, were connected via a Linksys gigabit switch and the switch was connected to a Linksys router. The router was configured for DHCP, as usual. The router was then connected to a DSL modem to TELCO.

And then someone in his infinite wisdom decided he was going to install a domain controller (DC) with Active Directory. Why? I have no idea. But now things are a lot more complicated.

Now, instead of everyone simply using a local account where their user-profile/settings are saved locally, we have users authenticating to the domain controller and their user-profile/user-account settings being saved on the controller.

So, to remove the user from the domain, this is what I had to do:

1.) Copy all the My Documents and Desktop files to the local machine, directly under the C: drive.

2.) Log on to the end-user machine as the administrator and change the way the machine logs on by configuring it as though there is no DC. You do this by going to My Comuter and right-clicking on the Properties tab. And then you go to "computer name"...bla bla bla.

3.) I then restarted the end-user machine and when it booted up, I, of course, was disassociated from the domain. It was basically a stand-alone machine. But now the users files and settings were completely lost.

4.) Therefore, being off the domain now, I created a LOCAL user account and simply copied all the Desktop and My Documents files I saved previously, directly under the C: drive, right into the new account's Desktop and My Documents folder. Therefore, even though I am no longer on the domain, and the domain controller was saving all my user data/settings in a user profile for this machine, I now had everything saved locally. So, the user had all their files and settings back but they were now OFF the domain.


The machine is now off the domain, but I can no longer map a network drive on the file server, which IS STILL on the domain. I can map to it from a network perspective (in other words, under My Computer, you CAN see a connection to the network drive), but when I double-click on it, I get "Access Denied." I cannot view the file directory on the file server.

It seems to me that the file server is configured such that it must authenticate the user to the domain controller before it allows any user to access its resources.


If I am right, would removing the file server from the domain, as I did to the end-user, stop this fileserver-domain controller interaction, and thereby allow the end-user to map to the fileserver's drive successfully?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ex-engineerAuthor Commented:
Anyone out there?
Hi ex-engineer,

The DC sets up a security Boundary that is fairly strong - the whole idea is that users who dont authenticate as part of the domain wont be able to access its resources

have you checked the permissions on the share - you may need to add the guest user to be able to access the share from your standalone computer

why dont you want the old setup - sounds to me like a correct and very good setup that the last bloke had done - why in the world would you want to lose the security, redundancy and useabality of the domain?

ex-engineerAuthor Commented:
Hi, Jay Jay 70:

Thanks for responding! Can you elaborate a little more on this?

"have you checked the permissions on the share - you may need to add the guest user to be able to access the share from your standalone computer"

Can you give details and be specific to make it idiot proof? :-) When you say "share," do you mean the file server?

I want to get rid of the AD server because it's really overkill. Its a great set up if you have a large network with many resources (file servers, email and application servers, printers, etc), where you need to enhance scalability and managability. But this is only a paltry 7 PCs! lol  I didnt want to get crazy. And if something fails with AD, I am not familiar with managing it and I dont have too much time to mess around with it.

JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

fair enough then mate, but i think you will come into trouble with having a half a domain cranking and half not

yo my want to look at demoting the domain controller with the dcrpomo tool... start - run - dcpromo  and then follow the wizard

as for the share itself - i mean that share on the file server - you will need to look under properties and sharing and then look at the permissions side of things, also check the security TAB and add the guest user to both

im not positive this will work as you are trying to map within a security boundary from outside
ex-engineerAuthor Commented:
OK, fair enough. By the way, I want to remove the domain controller altogether. I was just experimenting with that one machine.

Also, if I use the dcpromo tool to demote it, I think I will end up killing all the user profiles and groups and thereby end up losing all my user-data because its all being saved on domain accounts, not local account.

Which brings me to my next comment/question...

If the users who were authenticating to the domain were using a domain account and all their data was being saved on the DC/AD server, what would have happened if that AD server crashed??? Would all the user data (Desktop and My Documents) have been lost? I mean, if the DC crashes, and all that data is saved in the domain account, and I cant log onto the domain anymore.....shazam! lol

Isnt there a way for someone to be logged onto the domain, save all their data to the domain account, BUT ALSO TO A LOCAL ACCOUNT SIMULTANEOUSLY, in case the domain account fails????

If not, shouldnt this guy have installed a backup DC?

that becomes opens up an option of offline files....

thats where the user saves data locally and when they log off, the folders synch on a server - the way your bloke has it setup is just folder redirection and this is the better option on the proviso that there is an extremely strong backup plan and scheme.... if not then its all for nothing and yep if the DC dies then you loose everything......

DCPROMO will remove the AD database and the security boundaries not the actual user profiles... you will still need to copy all the data back across the same way that you already have

Backup DC is good but still the situtation would have been that the data was only synching to one server - backup DC just replicates the security structure - users groups policies etc...

offline files are a good option if you have a file server and your not using redirection and roaming profiles which are part of AD
ex-engineerAuthor Commented:
What I would like to do is:

1. Contiue removing the end-users from the domain, one at a time, as I did the first one.

2. Remove the file server from the domain.

I have a feeling that once I disassociate the file server from the domain, there wont be any security binding/relationship between the file server and the DC, and my end-users will be able to map out to the share drive on the file server. Ya think?

I guess by that point the DC will not be serving any purpose anyway, so the DCPROMO will be a moot point. No?
1) i would remove your user files as you have done so far and get your machines as standalone
2) you will still need to run DCPROMO as this removes AD and can put your OS back to a simple file server - you have to do this step!
3) then you get the fun and joys of P2P networking again - WG etc

I cant believe i just gave advice on removing AD! i swore i would never do that - you are losing a lot of security my friend - its not overkill at all, just make suire you deff want to do this

let me know if ya need help mate

ex-engineerAuthor Commented:
As for point 2, my file server is a separate box from the DC. The DC is only acting as an AD server.

OK, can you explain to me what security I am losing?  
Ah i c - still demote the box and have it as an additional server

you lose power of centralised management and security - group policies, group memberships and priviliges at a much stronger level

mostly its admin control and there is that much documentation out there that it doesnt take long to learn - i taught myself by playing now i administer heaps of domain environments   - amd im not particularly bright!!!

choice is yours ill just always promote using a Domain Environment
Keith AlabasterEnterprise ArchitectCommented:
I would (personally) look at this the other way.

1. By having the domain controller with centralised roaming profiles, you do not lose the user-data held locally. Actually, you enhance it. When a user logs onto the PC that they use, a copy of the profile is stored locally on the PC and then written to the centralised location on the server. Now if a user logs on at a different PC, the profile is copied from the central server to the new PC and stored locally there as well. If the PC that the user is on loses its hard disk, the profile is still stored on the central server so you can put a new PC in place, log on as the user (after making sure you all programs etc have been reinstalled) and the profile will come down from the server quite happily.

2. For the same reasons, if you do need to do 'work' on a PC, the user can operate on another pc nearby as they can use the profile pulled from the server.

3. The ability to use centralised services such as DHCP, DNS, profiles, security, control etc is worth its weight-in-chocolate. I hear you about only a few machines, but what if your company decides to go the Exchange route at some time, Sharepoint? Just examples, but many systems now require the centralised user_account database that AD provides on an equivalent.

4. Again, with centralised services, making a single Change in one location rather than the repitition of doing it singularly for each work station; Yuk.

5. You can create a test-user and put it into its own group. Centralised software installs/updates etc can be tested with the test_user before pushing to your other clients.

6. Security itself. The whole methodology of passwords, lock-outs etc is much stronger on domain membership rather than workgroup.

The list goes on.....
ex-engineerAuthor Commented:
Hey there, Keith.

Regarding point 1 of your response, here's the situation I had. I logged on as an administrator to a users PC and changed the manner in whcih the authetnication process takes place. I set it up so that the PC does not look for a domain controller. Then I reboooted and got the log-on screen.

OK, now, of course, when I tried to use the log-on credentials of the user, username and password, NO DOMAIN ENTRY, of course, no profile came up. In other words, because that was a domain profile I was logging into before, and now that she is not on the domain, I couldnt bring up her profile.

So, maybe AD CAN have the functionality youre talking about, but this guy didnt create it. All I have are the user profiles on the domain, so no domain means no profile and no data.

Am I missing something?

Keith AlabasterEnterprise ArchitectCommented:
There is a group policy that can be used within AD to set where the profiles are stored (if you don't want them on the local PC's for example).

However, the default is that the local profile is stored under documents & settings\user name and on the server, wherever you tell it within the user account.
ex-engineerAuthor Commented:
I guess so. Im sure youre absolutely right, but you arent giving me any details, so I cant really do much with what youre saying...

Anyway, can you look at my other issue? The one about FTP not working...
Keith AlabasterEnterprise ArchitectCommented:
Then maybe I have missed the point of your post.

Do you have the administrator password for the file server?

from a cmd prompt, If you use a net use * \\server_ip\share_name /user:ip_of_server\administrator

Does it prompt you for the original local administrator password of that server?

If you unsure of any share on the file server, replace 'share_name' above with c$
c$ is the hidden administrative share for the C drive on the server.

Cannot see anything mentioned above FTP?

look under the properties of the user account and under profile it will have a path showing you where it is stored

you will never be able to load the domain profile without logging on with the domain account   -  you are logging on with a local account now which has nothing to do with the domain as you would know

if you decide to keep your Domain Environment (highly advisable) i can send you some links on how to configure profiles and security options.....
ex-engineerAuthor Commented:
OK, Jay Jay.. Thanks

no worries mate just let me know
ex-engineerAuthor Commented:
I am letting you know, buddy. Send me what ya got! lol Thanks

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ex-engineerAuthor Commented:
Jay Jay, THANKS!

That was great, man. I REALLY appreciate it!
not a problem mate - any questions you can always ask
you have any luck mate?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.