Go Premium for a chance to win a PS4. Enter to Win


Can I grant a LOCAL computer account active directory permissions on a domain?

Posted on 2009-04-07
Medium Priority
Last Modified: 2013-11-25
We have a network with 4 server 2003 servers. One of these is a domain controller, the other 2 are running different database applications with SQL 2003/2005, the 4th is running a xerox workflow program.  the 4th server was joined to the domain, however, the Xerox software is trying to process a job that contains data that it needs to pull from the domain contoller, buried inside a folder that does not have a direct share to it.  For some reason, when xerox set this up, they have a local administrator account on that machine that is responsible for retrieving the data, and they say that there is nothign they can do to change it-- they want us to just share the folders directly, with 'everyone' set to 'full control'.  If this was just ONE folder, i wouldnt mind, however, this pertains to about 6,000 plus job folders, and i am not all that comfortable with sharing them all out, nor do i want 6,000 shared folders on my server.

WHAT I would like to do, is somehow make the LOCAL ACCOUNT on the 4th server available in active directory so that i can add it to a group that has permissions on that server.  If i log on as that account (lets call it XEROX_admin) i can browse to the folder i need, and it prompts me for a username and password. If i manually enter a domain username and password that has allready been granted access to this folder, it works fine.  HOWEVER, xerox tells us that there is no way that they can set their software up to pass domain user credentials through.

Anyone have any ideas?
Question by:joelen
LVL 18

Expert Comment

ID: 24093999
What you should do is call your Xerox account rep to send you someone who knows what Active Directory is and not someone only knows to use local account. This is year 2009, if the person has some experience and being cooporative with you, then it should be configured with a regular Domain user account(usually catagorized as a service account) need no admin right on the domain but can be added to the local Administrators group of your 4th server if needed. That should be the proper way to set it up. Telling you to open FULL control to everyone is a bit more like---"it's not my domain, just open it up and my job is done".

You can grant access to a domain account to Local groups, but not the other way around. So, I suggest you have them fix the problem. I'm sure someone from Xerox will know how to.

Expert Comment

ID: 24094015
Add Local Account on server and add the same in the AD...Passwords must match both!
LVL 18

Assisted Solution

Americom earned 200 total points
ID: 24094052
It wouldn't work, to authenticate to the domain, even with the same user account and password, it's a different SID to the domain.

Why patch instead of fix it. Afterall, having data on a domain controller is bad enough and open to everyone is crazy. If it is not properly fix it now, it will cause you more problem down the road.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 58

Expert Comment

ID: 24095101

Your point is incorrect. The method of creating matching accounts with the same username and password between two systems (local -> domain or even domain -> domain) is a known, valid workaround which does work.

LVL 18

Expert Comment

ID: 24099183
I know it worked on local to local, you sure it also work between local to domain? I have not tested from local and domain as i'm assuming that you need to provide domainname\accountname, without that, you sure just computername\accountname can authenticate to the domain? I have not tested this as it doesn't seem appropriate...afterall, even it work, it would not an appropriate solution in the long run, at least in my opinion.

Expert Comment

ID: 24099978
Like 2 people said above.    Add the "Xerox_admin" account into AD on the DC.  Then use that account on the Xerox server.  If the passwords match, you will be fine.

Also, if the Xerox server is in the domain, why can't you just log into it on the domain and then set all of the xerox stuff to run in that account?
LVL 18

Expert Comment

ID: 24103686
It's definitely good to know and thanks for the confirmation that the matching account & password actually work from local-->domain. I have to admitted that I have never pay much attention or trying to verify that it could work. Since you all said it would then I have no doubt it will work. As far as it also work from domain to domain, that one I kind of experienced that accidentally many years ago when setting multiple domains with the same Administrator account and password.

I guess the workaround with matching account and password can be a solution. It just that it would require to maintain extra account and making sure the passwords get sync all the time. If I have to fix this, I would definitely make the Xerox reconfigure the application to use a domain account instead of a local account. I know fixing it this is very likely can be done and would be the way to go in the long run.


Accepted Solution

joelen earned 0 total points
ID: 24103806
Thank you all for your help, as it turns out, the xerox guy we were dealing with was incorrect, and the problem was that HE had changed a domain accounts password and 'forgot' - it was NOT the local user account that needed access, but a xerox service, and the xerox service was using AD credentials with the WRONG password.  

Incidentally- the local account / domain account same password thing does not work in our environment- not from server2003 to server2003 domain controller-- i tested it from an XP box to the domain controller and that DID work for what it is worth....  so that would not have helped... but thakns for the suggestion...

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Integration Management Part 2

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question