Solved

Trust Computer for delegation

Posted on 2006-06-28
6
1,624 Views
Last Modified: 2008-05-30
I am trying to enable "trust computer for delegation option" I enabled to this option in active directory but I still can't see the computers local accounts in the domain. What am I missing?
0
Comment
Question by:pdiblasi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17002241
How are you trying to see the computer accounts?
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 17002530
That option in only used by services running with the "local system" account
The services  use the account to access resources on the domain on behalf of the client.


So you will not see local user accounts on the pc being added to active directory.
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 

Author Comment

by:pdiblasi
ID: 17004380
ohhhhhh so only domain controllers will post the accounts in active directory? there is no way to have a member server post its local accounts in active directory?
0
 
LVL 16

Accepted Solution

by:
Nyaema earned 250 total points
ID: 17007248
All domain controllers in an active directory environment have a copy of the same security database.
any change made to the security database is replicated to the other domain controllers.
So any user account added/deleted is replicated to the other domain controllers.

Domain controllers as the name suggests control domains
In a Domain, there's one security database that is queried by all members of that domain.
It is domain controllers that add/delete user accounts.
Members of a domain share there resources with other members
and deny/allow accesss using user/computer accounts in the domain database held by the domain controllers.

When you log onto a domain from a PC, it is the domain controller verifies that you have an account on the domain and that the password is correct.

Members have a domain also have there own security database
called the local security database which controlled by the local computer.
the local security database is not replicated to any other member of the workgroup/domain.

A member server is not a domain controller.
It has its own security database that is not replicated to any other member of the domain.

So yes, only user accounts added at a domain controller will appear in active directory.
There is no way to replicate local user accounts to active directory.

There is no need to have local user accounts in active directory.
Just add the  accounts you want to use in active directory.
You can then use the domain user account to allow and deny access to resources in the member server.
The server has to be a member of that domain.

Note: Server refers to windows server nt/2000/2003 as they can handle more than 10 connections
nt workstatioin, 2000 professional, xp, 9x can only handle 10 simultaneous user connections.
0
 
LVL 6

Assisted Solution

by:engineer_dell
engineer_dell earned 250 total points
ID: 17007262
That setting is part of the userAccountControl attribute (a bit flag in it), so your users would need rights to modify that attribute. If you want to do constrained delegation (which you should use if you can), they'll need access to the msds-allowedToDelegateTo attribute.  They may also need rights to set service principal names (servicePrincipalName attribute), depending on what you are doing.

http://technet2.microsoft.com/WindowsServer/en/Library/220e1370-9e39-4b4c-a2a9-5295d21591991033.mspx?mfr=true
http://support.microsoft.com/?id=305144
http://www.awprofessional.com/articles/article.asp?p=26918&rl=1

Hope this helps,

Engineer_Dell
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question