Solved

Trust Computer for delegation

Posted on 2006-06-28
6
1,614 Views
Last Modified: 2008-05-30
I am trying to enable "trust computer for delegation option" I enabled to this option in active directory but I still can't see the computers local accounts in the domain. What am I missing?
0
Comment
Question by:pdiblasi
6 Comments
 
LVL 30

Expert Comment

by:callrs
Comment Utility
0
 
LVL 7

Expert Comment

by:CharliePete00
Comment Utility
How are you trying to see the computer accounts?
0
 
LVL 16

Expert Comment

by:Nyaema
Comment Utility
That option in only used by services running with the "local system" account
The services  use the account to access resources on the domain on behalf of the client.


So you will not see local user accounts on the pc being added to active directory.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:pdiblasi
Comment Utility
ohhhhhh so only domain controllers will post the accounts in active directory? there is no way to have a member server post its local accounts in active directory?
0
 
LVL 16

Accepted Solution

by:
Nyaema earned 250 total points
Comment Utility
All domain controllers in an active directory environment have a copy of the same security database.
any change made to the security database is replicated to the other domain controllers.
So any user account added/deleted is replicated to the other domain controllers.

Domain controllers as the name suggests control domains
In a Domain, there's one security database that is queried by all members of that domain.
It is domain controllers that add/delete user accounts.
Members of a domain share there resources with other members
and deny/allow accesss using user/computer accounts in the domain database held by the domain controllers.

When you log onto a domain from a PC, it is the domain controller verifies that you have an account on the domain and that the password is correct.

Members have a domain also have there own security database
called the local security database which controlled by the local computer.
the local security database is not replicated to any other member of the workgroup/domain.

A member server is not a domain controller.
It has its own security database that is not replicated to any other member of the domain.

So yes, only user accounts added at a domain controller will appear in active directory.
There is no way to replicate local user accounts to active directory.

There is no need to have local user accounts in active directory.
Just add the  accounts you want to use in active directory.
You can then use the domain user account to allow and deny access to resources in the member server.
The server has to be a member of that domain.

Note: Server refers to windows server nt/2000/2003 as they can handle more than 10 connections
nt workstatioin, 2000 professional, xp, 9x can only handle 10 simultaneous user connections.
0
 
LVL 6

Assisted Solution

by:engineer_dell
engineer_dell earned 250 total points
Comment Utility
That setting is part of the userAccountControl attribute (a bit flag in it), so your users would need rights to modify that attribute. If you want to do constrained delegation (which you should use if you can), they'll need access to the msds-allowedToDelegateTo attribute.  They may also need rights to set service principal names (servicePrincipalName attribute), depending on what you are doing.

http://technet2.microsoft.com/WindowsServer/en/Library/220e1370-9e39-4b4c-a2a9-5295d21591991033.mspx?mfr=true
http://support.microsoft.com/?id=305144
http://www.awprofessional.com/articles/article.asp?p=26918&rl=1

Hope this helps,

Engineer_Dell
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now