Solved

Can I grant a LOCAL computer account active directory permissions on a domain?

Posted on 2009-04-07
8
577 Views
Last Modified: 2013-11-25
We have a network with 4 server 2003 servers. One of these is a domain controller, the other 2 are running different database applications with SQL 2003/2005, the 4th is running a xerox workflow program.  the 4th server was joined to the domain, however, the Xerox software is trying to process a job that contains data that it needs to pull from the domain contoller, buried inside a folder that does not have a direct share to it.  For some reason, when xerox set this up, they have a local administrator account on that machine that is responsible for retrieving the data, and they say that there is nothign they can do to change it-- they want us to just share the folders directly, with 'everyone' set to 'full control'.  If this was just ONE folder, i wouldnt mind, however, this pertains to about 6,000 plus job folders, and i am not all that comfortable with sharing them all out, nor do i want 6,000 shared folders on my server.

WHAT I would like to do, is somehow make the LOCAL ACCOUNT on the 4th server available in active directory so that i can add it to a group that has permissions on that server.  If i log on as that account (lets call it XEROX_admin) i can browse to the folder i need, and it prompts me for a username and password. If i manually enter a domain username and password that has allready been granted access to this folder, it works fine.  HOWEVER, xerox tells us that there is no way that they can set their software up to pass domain user credentials through.

Anyone have any ideas?
0
Comment
Question by:joelen
8 Comments
 
LVL 18

Expert Comment

by:Americom
Comment Utility
What you should do is call your Xerox account rep to send you someone who knows what Active Directory is and not someone only knows to use local account. This is year 2009, if the person has some experience and being cooporative with you, then it should be configured with a regular Domain user account(usually catagorized as a service account) need no admin right on the domain but can be added to the local Administrators group of your 4th server if needed. That should be the proper way to set it up. Telling you to open FULL control to everyone is a bit more like---"it's not my domain, just open it up and my job is done".

You can grant access to a domain account to Local groups, but not the other way around. So, I suggest you have them fix the problem. I'm sure someone from Xerox will know how to.
0
 

Expert Comment

by:Cobra705
Comment Utility
Add Local Account on server and add the same in the AD...Passwords must match both!
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 50 total points
Comment Utility
It wouldn't work, to authenticate to the domain, even with the same user account and password, it's a different SID to the domain.

Why patch instead of fix it. Afterall, having data on a domain controller is bad enough and open to everyone is crazy. If it is not properly fix it now, it will cause you more problem down the road.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
Americom,

Your point is incorrect. The method of creating matching accounts with the same username and password between two systems (local -> domain or even domain -> domain) is a known, valid workaround which does work.

-Matt
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 18

Expert Comment

by:Americom
Comment Utility
I know it worked on local to local, you sure it also work between local to domain? I have not tested from local and domain as i'm assuming that you need to provide domainname\accountname, without that, you sure just computername\accountname can authenticate to the domain? I have not tested this as it doesn't seem appropriate...afterall, even it work, it would not an appropriate solution in the long run, at least in my opinion.
0
 

Expert Comment

by:GMDtech
Comment Utility
Like 2 people said above.    Add the "Xerox_admin" account into AD on the DC.  Then use that account on the Xerox server.  If the passwords match, you will be fine.

Also, if the Xerox server is in the domain, why can't you just log into it on the domain and then set all of the xerox stuff to run in that account?
0
 
LVL 18

Expert Comment

by:Americom
Comment Utility
It's definitely good to know and thanks for the confirmation that the matching account & password actually work from local-->domain. I have to admitted that I have never pay much attention or trying to verify that it could work. Since you all said it would then I have no doubt it will work. As far as it also work from domain to domain, that one I kind of experienced that accidentally many years ago when setting multiple domains with the same Administrator account and password.

I guess the workaround with matching account and password can be a solution. It just that it would require to maintain extra account and making sure the passwords get sync all the time. If I have to fix this, I would definitely make the Xerox reconfigure the application to use a domain account instead of a local account. I know fixing it this is very likely can be done and would be the way to go in the long run.

0
 

Accepted Solution

by:
joelen earned 0 total points
Comment Utility
Thank you all for your help, as it turns out, the xerox guy we were dealing with was incorrect, and the problem was that HE had changed a domain accounts password and 'forgot' - it was NOT the local user account that needed access, but a xerox service, and the xerox service was using AD credentials with the WRONG password.  

Incidentally- the local account / domain account same password thing does not work in our environment- not from server2003 to server2003 domain controller-- i tested it from an XP box to the domain controller and that DID work for what it is worth....  so that would not have helped... but thakns for the suggestion...
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

You can provide a virtual interface for remote stakeholders in a SWOT analysis through a Google Drawing template. By making real time viewing and collaboration possible, your team can build a stronger product.
Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now