[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Trust Computer for delegation

Posted on 2006-06-28
6
Medium Priority
?
1,627 Views
Last Modified: 2008-05-30
I am trying to enable "trust computer for delegation option" I enabled to this option in active directory but I still can't see the computers local accounts in the domain. What am I missing?
0
Comment
Question by:pdiblasi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17002241
How are you trying to see the computer accounts?
0
 
LVL 16

Expert Comment

by:Joseph Nyaema
ID: 17002530
That option in only used by services running with the "local system" account
The services  use the account to access resources on the domain on behalf of the client.


So you will not see local user accounts on the pc being added to active directory.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:pdiblasi
ID: 17004380
ohhhhhh so only domain controllers will post the accounts in active directory? there is no way to have a member server post its local accounts in active directory?
0
 
LVL 16

Accepted Solution

by:
Joseph Nyaema earned 1000 total points
ID: 17007248
All domain controllers in an active directory environment have a copy of the same security database.
any change made to the security database is replicated to the other domain controllers.
So any user account added/deleted is replicated to the other domain controllers.

Domain controllers as the name suggests control domains
In a Domain, there's one security database that is queried by all members of that domain.
It is domain controllers that add/delete user accounts.
Members of a domain share there resources with other members
and deny/allow accesss using user/computer accounts in the domain database held by the domain controllers.

When you log onto a domain from a PC, it is the domain controller verifies that you have an account on the domain and that the password is correct.

Members have a domain also have there own security database
called the local security database which controlled by the local computer.
the local security database is not replicated to any other member of the workgroup/domain.

A member server is not a domain controller.
It has its own security database that is not replicated to any other member of the domain.

So yes, only user accounts added at a domain controller will appear in active directory.
There is no way to replicate local user accounts to active directory.

There is no need to have local user accounts in active directory.
Just add the  accounts you want to use in active directory.
You can then use the domain user account to allow and deny access to resources in the member server.
The server has to be a member of that domain.

Note: Server refers to windows server nt/2000/2003 as they can handle more than 10 connections
nt workstatioin, 2000 professional, xp, 9x can only handle 10 simultaneous user connections.
0
 
LVL 6

Assisted Solution

by:engineer_dell
engineer_dell earned 1000 total points
ID: 17007262
That setting is part of the userAccountControl attribute (a bit flag in it), so your users would need rights to modify that attribute. If you want to do constrained delegation (which you should use if you can), they'll need access to the msds-allowedToDelegateTo attribute.  They may also need rights to set service principal names (servicePrincipalName attribute), depending on what you are doing.

http://technet2.microsoft.com/WindowsServer/en/Library/220e1370-9e39-4b4c-a2a9-5295d21591991033.mspx?mfr=true
http://support.microsoft.com/?id=305144
http://www.awprofessional.com/articles/article.asp?p=26918&rl=1

Hope this helps,

Engineer_Dell
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question