Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Can I grant a LOCAL computer account active directory permissions on a domain?

Posted on 2009-04-07
Medium Priority
Last Modified: 2013-11-25
We have a network with 4 server 2003 servers. One of these is a domain controller, the other 2 are running different database applications with SQL 2003/2005, the 4th is running a xerox workflow program.  the 4th server was joined to the domain, however, the Xerox software is trying to process a job that contains data that it needs to pull from the domain contoller, buried inside a folder that does not have a direct share to it.  For some reason, when xerox set this up, they have a local administrator account on that machine that is responsible for retrieving the data, and they say that there is nothign they can do to change it-- they want us to just share the folders directly, with 'everyone' set to 'full control'.  If this was just ONE folder, i wouldnt mind, however, this pertains to about 6,000 plus job folders, and i am not all that comfortable with sharing them all out, nor do i want 6,000 shared folders on my server.

WHAT I would like to do, is somehow make the LOCAL ACCOUNT on the 4th server available in active directory so that i can add it to a group that has permissions on that server.  If i log on as that account (lets call it XEROX_admin) i can browse to the folder i need, and it prompts me for a username and password. If i manually enter a domain username and password that has allready been granted access to this folder, it works fine.  HOWEVER, xerox tells us that there is no way that they can set their software up to pass domain user credentials through.

Anyone have any ideas?
Question by:joelen
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 18

Expert Comment

ID: 24093999
What you should do is call your Xerox account rep to send you someone who knows what Active Directory is and not someone only knows to use local account. This is year 2009, if the person has some experience and being cooporative with you, then it should be configured with a regular Domain user account(usually catagorized as a service account) need no admin right on the domain but can be added to the local Administrators group of your 4th server if needed. That should be the proper way to set it up. Telling you to open FULL control to everyone is a bit more like---"it's not my domain, just open it up and my job is done".

You can grant access to a domain account to Local groups, but not the other way around. So, I suggest you have them fix the problem. I'm sure someone from Xerox will know how to.

Expert Comment

ID: 24094015
Add Local Account on server and add the same in the AD...Passwords must match both!
LVL 18

Assisted Solution

Americom earned 200 total points
ID: 24094052
It wouldn't work, to authenticate to the domain, even with the same user account and password, it's a different SID to the domain.

Why patch instead of fix it. Afterall, having data on a domain controller is bad enough and open to everyone is crazy. If it is not properly fix it now, it will cause you more problem down the road.
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

LVL 58

Expert Comment

ID: 24095101

Your point is incorrect. The method of creating matching accounts with the same username and password between two systems (local -> domain or even domain -> domain) is a known, valid workaround which does work.

LVL 18

Expert Comment

ID: 24099183
I know it worked on local to local, you sure it also work between local to domain? I have not tested from local and domain as i'm assuming that you need to provide domainname\accountname, without that, you sure just computername\accountname can authenticate to the domain? I have not tested this as it doesn't seem appropriate...afterall, even it work, it would not an appropriate solution in the long run, at least in my opinion.

Expert Comment

ID: 24099978
Like 2 people said above.    Add the "Xerox_admin" account into AD on the DC.  Then use that account on the Xerox server.  If the passwords match, you will be fine.

Also, if the Xerox server is in the domain, why can't you just log into it on the domain and then set all of the xerox stuff to run in that account?
LVL 18

Expert Comment

ID: 24103686
It's definitely good to know and thanks for the confirmation that the matching account & password actually work from local-->domain. I have to admitted that I have never pay much attention or trying to verify that it could work. Since you all said it would then I have no doubt it will work. As far as it also work from domain to domain, that one I kind of experienced that accidentally many years ago when setting multiple domains with the same Administrator account and password.

I guess the workaround with matching account and password can be a solution. It just that it would require to maintain extra account and making sure the passwords get sync all the time. If I have to fix this, I would definitely make the Xerox reconfigure the application to use a domain account instead of a local account. I know fixing it this is very likely can be done and would be the way to go in the long run.


Accepted Solution

joelen earned 0 total points
ID: 24103806
Thank you all for your help, as it turns out, the xerox guy we were dealing with was incorrect, and the problem was that HE had changed a domain accounts password and 'forgot' - it was NOT the local user account that needed access, but a xerox service, and the xerox service was using AD credentials with the WRONG password.  

Incidentally- the local account / domain account same password thing does not work in our environment- not from server2003 to server2003 domain controller-- i tested it from an XP box to the domain controller and that DID work for what it is worth....  so that would not have helped... but thakns for the suggestion...

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
A hard and fast method for reducing Active Directory Administrators members.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question