Solved

Trust Computer for delegation

Posted on 2006-06-28
6
1,623 Views
Last Modified: 2008-05-30
I am trying to enable "trust computer for delegation option" I enabled to this option in active directory but I still can't see the computers local accounts in the domain. What am I missing?
0
Comment
Question by:pdiblasi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 30

Expert Comment

by:callrs
ID: 17002225
0
 
LVL 7

Expert Comment

by:CharliePete00
ID: 17002241
How are you trying to see the computer accounts?
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 17002530
That option in only used by services running with the "local system" account
The services  use the account to access resources on the domain on behalf of the client.


So you will not see local user accounts on the pc being added to active directory.
0
Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

 

Author Comment

by:pdiblasi
ID: 17004380
ohhhhhh so only domain controllers will post the accounts in active directory? there is no way to have a member server post its local accounts in active directory?
0
 
LVL 16

Accepted Solution

by:
Nyaema earned 250 total points
ID: 17007248
All domain controllers in an active directory environment have a copy of the same security database.
any change made to the security database is replicated to the other domain controllers.
So any user account added/deleted is replicated to the other domain controllers.

Domain controllers as the name suggests control domains
In a Domain, there's one security database that is queried by all members of that domain.
It is domain controllers that add/delete user accounts.
Members of a domain share there resources with other members
and deny/allow accesss using user/computer accounts in the domain database held by the domain controllers.

When you log onto a domain from a PC, it is the domain controller verifies that you have an account on the domain and that the password is correct.

Members have a domain also have there own security database
called the local security database which controlled by the local computer.
the local security database is not replicated to any other member of the workgroup/domain.

A member server is not a domain controller.
It has its own security database that is not replicated to any other member of the domain.

So yes, only user accounts added at a domain controller will appear in active directory.
There is no way to replicate local user accounts to active directory.

There is no need to have local user accounts in active directory.
Just add the  accounts you want to use in active directory.
You can then use the domain user account to allow and deny access to resources in the member server.
The server has to be a member of that domain.

Note: Server refers to windows server nt/2000/2003 as they can handle more than 10 connections
nt workstatioin, 2000 professional, xp, 9x can only handle 10 simultaneous user connections.
0
 
LVL 6

Assisted Solution

by:engineer_dell
engineer_dell earned 250 total points
ID: 17007262
That setting is part of the userAccountControl attribute (a bit flag in it), so your users would need rights to modify that attribute. If you want to do constrained delegation (which you should use if you can), they'll need access to the msds-allowedToDelegateTo attribute.  They may also need rights to set service principal names (servicePrincipalName attribute), depending on what you are doing.

http://technet2.microsoft.com/WindowsServer/en/Library/220e1370-9e39-4b4c-a2a9-5295d21591991033.mspx?mfr=true
http://support.microsoft.com/?id=305144
http://www.awprofessional.com/articles/article.asp?p=26918&rl=1

Hope this helps,

Engineer_Dell
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question