• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1628
  • Last Modified:

Trust Computer for delegation

I am trying to enable "trust computer for delegation option" I enabled to this option in active directory but I still can't see the computers local accounts in the domain. What am I missing?
0
pdiblasi
Asked:
pdiblasi
2 Solutions
 
CharliePete00Commented:
How are you trying to see the computer accounts?
0
 
Joseph NyaemaIT ConsultantCommented:
That option in only used by services running with the "local system" account
The services  use the account to access resources on the domain on behalf of the client.


So you will not see local user accounts on the pc being added to active directory.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
pdiblasiAuthor Commented:
ohhhhhh so only domain controllers will post the accounts in active directory? there is no way to have a member server post its local accounts in active directory?
0
 
Joseph NyaemaIT ConsultantCommented:
All domain controllers in an active directory environment have a copy of the same security database.
any change made to the security database is replicated to the other domain controllers.
So any user account added/deleted is replicated to the other domain controllers.

Domain controllers as the name suggests control domains
In a Domain, there's one security database that is queried by all members of that domain.
It is domain controllers that add/delete user accounts.
Members of a domain share there resources with other members
and deny/allow accesss using user/computer accounts in the domain database held by the domain controllers.

When you log onto a domain from a PC, it is the domain controller verifies that you have an account on the domain and that the password is correct.

Members have a domain also have there own security database
called the local security database which controlled by the local computer.
the local security database is not replicated to any other member of the workgroup/domain.

A member server is not a domain controller.
It has its own security database that is not replicated to any other member of the domain.

So yes, only user accounts added at a domain controller will appear in active directory.
There is no way to replicate local user accounts to active directory.

There is no need to have local user accounts in active directory.
Just add the  accounts you want to use in active directory.
You can then use the domain user account to allow and deny access to resources in the member server.
The server has to be a member of that domain.

Note: Server refers to windows server nt/2000/2003 as they can handle more than 10 connections
nt workstatioin, 2000 professional, xp, 9x can only handle 10 simultaneous user connections.
0
 
engineer_dellCommented:
That setting is part of the userAccountControl attribute (a bit flag in it), so your users would need rights to modify that attribute. If you want to do constrained delegation (which you should use if you can), they'll need access to the msds-allowedToDelegateTo attribute.  They may also need rights to set service principal names (servicePrincipalName attribute), depending on what you are doing.

http://technet2.microsoft.com/WindowsServer/en/Library/220e1370-9e39-4b4c-a2a9-5295d21591991033.mspx?mfr=true
http://support.microsoft.com/?id=305144
http://www.awprofessional.com/articles/article.asp?p=26918&rl=1

Hope this helps,

Engineer_Dell
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now