Can I grant a LOCAL computer account active directory permissions on a domain?

Posted on 2009-04-07
Last Modified: 2013-11-25
We have a network with 4 server 2003 servers. One of these is a domain controller, the other 2 are running different database applications with SQL 2003/2005, the 4th is running a xerox workflow program.  the 4th server was joined to the domain, however, the Xerox software is trying to process a job that contains data that it needs to pull from the domain contoller, buried inside a folder that does not have a direct share to it.  For some reason, when xerox set this up, they have a local administrator account on that machine that is responsible for retrieving the data, and they say that there is nothign they can do to change it-- they want us to just share the folders directly, with 'everyone' set to 'full control'.  If this was just ONE folder, i wouldnt mind, however, this pertains to about 6,000 plus job folders, and i am not all that comfortable with sharing them all out, nor do i want 6,000 shared folders on my server.

WHAT I would like to do, is somehow make the LOCAL ACCOUNT on the 4th server available in active directory so that i can add it to a group that has permissions on that server.  If i log on as that account (lets call it XEROX_admin) i can browse to the folder i need, and it prompts me for a username and password. If i manually enter a domain username and password that has allready been granted access to this folder, it works fine.  HOWEVER, xerox tells us that there is no way that they can set their software up to pass domain user credentials through.

Anyone have any ideas?
Question by:joelen
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 18

Expert Comment

ID: 24093999
What you should do is call your Xerox account rep to send you someone who knows what Active Directory is and not someone only knows to use local account. This is year 2009, if the person has some experience and being cooporative with you, then it should be configured with a regular Domain user account(usually catagorized as a service account) need no admin right on the domain but can be added to the local Administrators group of your 4th server if needed. That should be the proper way to set it up. Telling you to open FULL control to everyone is a bit more like---"it's not my domain, just open it up and my job is done".

You can grant access to a domain account to Local groups, but not the other way around. So, I suggest you have them fix the problem. I'm sure someone from Xerox will know how to.

Expert Comment

ID: 24094015
Add Local Account on server and add the same in the AD...Passwords must match both!
LVL 18

Assisted Solution

Americom earned 50 total points
ID: 24094052
It wouldn't work, to authenticate to the domain, even with the same user account and password, it's a different SID to the domain.

Why patch instead of fix it. Afterall, having data on a domain controller is bad enough and open to everyone is crazy. If it is not properly fix it now, it will cause you more problem down the road.
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

LVL 58

Expert Comment

ID: 24095101

Your point is incorrect. The method of creating matching accounts with the same username and password between two systems (local -> domain or even domain -> domain) is a known, valid workaround which does work.

LVL 18

Expert Comment

ID: 24099183
I know it worked on local to local, you sure it also work between local to domain? I have not tested from local and domain as i'm assuming that you need to provide domainname\accountname, without that, you sure just computername\accountname can authenticate to the domain? I have not tested this as it doesn't seem appropriate...afterall, even it work, it would not an appropriate solution in the long run, at least in my opinion.

Expert Comment

ID: 24099978
Like 2 people said above.    Add the "Xerox_admin" account into AD on the DC.  Then use that account on the Xerox server.  If the passwords match, you will be fine.

Also, if the Xerox server is in the domain, why can't you just log into it on the domain and then set all of the xerox stuff to run in that account?
LVL 18

Expert Comment

ID: 24103686
It's definitely good to know and thanks for the confirmation that the matching account & password actually work from local-->domain. I have to admitted that I have never pay much attention or trying to verify that it could work. Since you all said it would then I have no doubt it will work. As far as it also work from domain to domain, that one I kind of experienced that accidentally many years ago when setting multiple domains with the same Administrator account and password.

I guess the workaround with matching account and password can be a solution. It just that it would require to maintain extra account and making sure the passwords get sync all the time. If I have to fix this, I would definitely make the Xerox reconfigure the application to use a domain account instead of a local account. I know fixing it this is very likely can be done and would be the way to go in the long run.


Accepted Solution

joelen earned 0 total points
ID: 24103806
Thank you all for your help, as it turns out, the xerox guy we were dealing with was incorrect, and the problem was that HE had changed a domain accounts password and 'forgot' - it was NOT the local user account that needed access, but a xerox service, and the xerox service was using AD credentials with the WRONG password.  

Incidentally- the local account / domain account same password thing does not work in our environment- not from server2003 to server2003 domain controller-- i tested it from an XP box to the domain controller and that DID work for what it is worth....  so that would not have helped... but thakns for the suggestion...

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Pop-up allow list 6 41
Changing email address in Exchange 2010 2 51
AD replication issues with RODC on perimeter network 17 34
I'm being stupid with my powershell 2 28
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question