Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Can I grant a LOCAL computer account active directory permissions on a domain?

Posted on 2009-04-07
8
581 Views
Last Modified: 2013-11-25
We have a network with 4 server 2003 servers. One of these is a domain controller, the other 2 are running different database applications with SQL 2003/2005, the 4th is running a xerox workflow program.  the 4th server was joined to the domain, however, the Xerox software is trying to process a job that contains data that it needs to pull from the domain contoller, buried inside a folder that does not have a direct share to it.  For some reason, when xerox set this up, they have a local administrator account on that machine that is responsible for retrieving the data, and they say that there is nothign they can do to change it-- they want us to just share the folders directly, with 'everyone' set to 'full control'.  If this was just ONE folder, i wouldnt mind, however, this pertains to about 6,000 plus job folders, and i am not all that comfortable with sharing them all out, nor do i want 6,000 shared folders on my server.

WHAT I would like to do, is somehow make the LOCAL ACCOUNT on the 4th server available in active directory so that i can add it to a group that has permissions on that server.  If i log on as that account (lets call it XEROX_admin) i can browse to the folder i need, and it prompts me for a username and password. If i manually enter a domain username and password that has allready been granted access to this folder, it works fine.  HOWEVER, xerox tells us that there is no way that they can set their software up to pass domain user credentials through.

Anyone have any ideas?
0
Comment
Question by:joelen
8 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 24093999
What you should do is call your Xerox account rep to send you someone who knows what Active Directory is and not someone only knows to use local account. This is year 2009, if the person has some experience and being cooporative with you, then it should be configured with a regular Domain user account(usually catagorized as a service account) need no admin right on the domain but can be added to the local Administrators group of your 4th server if needed. That should be the proper way to set it up. Telling you to open FULL control to everyone is a bit more like---"it's not my domain, just open it up and my job is done".

You can grant access to a domain account to Local groups, but not the other way around. So, I suggest you have them fix the problem. I'm sure someone from Xerox will know how to.
0
 

Expert Comment

by:Cobra705
ID: 24094015
Add Local Account on server and add the same in the AD...Passwords must match both!
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 50 total points
ID: 24094052
It wouldn't work, to authenticate to the domain, even with the same user account and password, it's a different SID to the domain.

Why patch instead of fix it. Afterall, having data on a domain controller is bad enough and open to everyone is crazy. If it is not properly fix it now, it will cause you more problem down the road.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 58

Expert Comment

by:tigermatt
ID: 24095101
Americom,

Your point is incorrect. The method of creating matching accounts with the same username and password between two systems (local -> domain or even domain -> domain) is a known, valid workaround which does work.

-Matt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24099183
I know it worked on local to local, you sure it also work between local to domain? I have not tested from local and domain as i'm assuming that you need to provide domainname\accountname, without that, you sure just computername\accountname can authenticate to the domain? I have not tested this as it doesn't seem appropriate...afterall, even it work, it would not an appropriate solution in the long run, at least in my opinion.
0
 

Expert Comment

by:GMDtech
ID: 24099978
Like 2 people said above.    Add the "Xerox_admin" account into AD on the DC.  Then use that account on the Xerox server.  If the passwords match, you will be fine.

Also, if the Xerox server is in the domain, why can't you just log into it on the domain and then set all of the xerox stuff to run in that account?
0
 
LVL 18

Expert Comment

by:Americom
ID: 24103686
It's definitely good to know and thanks for the confirmation that the matching account & password actually work from local-->domain. I have to admitted that I have never pay much attention or trying to verify that it could work. Since you all said it would then I have no doubt it will work. As far as it also work from domain to domain, that one I kind of experienced that accidentally many years ago when setting multiple domains with the same Administrator account and password.

I guess the workaround with matching account and password can be a solution. It just that it would require to maintain extra account and making sure the passwords get sync all the time. If I have to fix this, I would definitely make the Xerox reconfigure the application to use a domain account instead of a local account. I know fixing it this is very likely can be done and would be the way to go in the long run.

0
 

Accepted Solution

by:
joelen earned 0 total points
ID: 24103806
Thank you all for your help, as it turns out, the xerox guy we were dealing with was incorrect, and the problem was that HE had changed a domain accounts password and 'forgot' - it was NOT the local user account that needed access, but a xerox service, and the xerox service was using AD credentials with the WRONG password.  

Incidentally- the local account / domain account same password thing does not work in our environment- not from server2003 to server2003 domain controller-- i tested it from an XP box to the domain controller and that DID work for what it is worth....  so that would not have helped... but thakns for the suggestion...
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article runs through the process of deploying a single EXE application selectively to a group of user.
When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question