Can a single AD user be in use on multiple machines?

Posted on 2010-08-17
Medium Priority
Last Modified: 2012-05-10
I am new to server administration, and I have a small business with 10 PCs connected to a lan with a 2003 Server on the lan.

Currently we do not take advantage of AD and simply use the 2003 server as a file server with folders shared for everyone to access.

We do not need a separate login for each user.  In fact, that would be counter productive as the users float among the PCs in the office - following patients through the office.  Having to login to every workstation when they used it would slow them down.

I am looking into some software to filter web content and I would like for the owner to have a roaming login so that I can treat her differently than the employees.  Can I have a single AD entry for employee use and have it in use simultaneously on all 10 clients or is there a better way to do this (like assigning an account to each machine and using auto login or giving al logins the same password - since all employees need access to all workstations)?

I need to be able to treat the owner differently to give her separate restrictions when web surfing than the employees have.

Also, do you know of any resources that would explain roaming logins (how they work, how to admminister, etc.)?

Question by:cerksees
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 33452305
Yes, you can login on multiple computers but this way you lost many features of AD.
Why not use switch user on workstations ? Is not so time consumming...
LVL 24

Expert Comment

by:Mike Thomas
ID: 33452331
As above yes you can have multiple logins, by roaming logins i think you mean roamining profiles?, all this means is that the profiles is stored on a server and loads/saves to the server rather than a local PC, this means the profile can be loaded  to any PC from the server which will mean it is consistent between PC's that the user is logging onto. However changes are saved back to the server at log off so this might not work well with a single user account logged in to 10 workstations at once.


Expert Comment

ID: 33452333
There is no harm to use single AD account on multiple computers... It will not slow down anything.
The main disadvantage is security... ( If something happened, you cannot identify who done what task because single users granted to multiple logins)

Regarding Web filtering – You can opt for WEBSENCE ( AD integrated) or free ware open DNS

Rimming profile:

Let us know if you are more specific to know anythig?
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Expert Comment

ID: 33452348
yes you can.
LVL 12

Expert Comment

ID: 33452349
Using one account for everybody is OK and will work. Do not consider auto-logon for all workstations, that would be rather irresponsible.
If your patients are going near the PCs in the office, especially unattended, make sure to automatically lock workstations (read about Group Policy), and learn people how to use Windows+L to lock the PC when they step away from the desk. Even with a simple password, this will prevent curious people snooping and unlocking takes just a moment.

Author Comment

ID: 33452381
I am looking at Race River's Integard (http://www.raceriver.com/Integard_Professional.htm) as a possible solution for web filtering.  It isn;t too expensive and looks to be flexible in how it is used.

The reason I was asking about a roaming profile was for the owner.  She may sit at different computers - depending on what she needs to do.  And, she needs to be uniquely identified to allow Integard to give her a different set of web content filters than the employees.

This is a small dental office.  Ideally every computer would have the exact same desktop - as they all use the same software on all workstations.  But, in this dental office, the employees may sign a person in on one PC, do paperwork on another, scan xrays on a third then the doctors grab that info before doing work on a fourth PC.

The employees are all over the office and the pace is very hectic.  They are all about getting people seen quickly.  Having to log into each PC to work would be unacceptable and unenforcable - there would be no way to tell when they walked away from one desktop to another and they would all simply begin to use one another's logins and just stay logged in at one workstation for the day.

The main goal here is to give the owner a way to differentiate her login on the network for web content filtering.  Also, it would be great to have every desktop the same, but I am not sure how to accomplish that short of a roaming profile - which would probably not work logged in to 10 client workstations at the same time.

As for it not being time consuming to log into a workstation....the employess complain about waiting for a database refresh for 3 seconds.  So it would be a nightmare for them.
LVL 15

Expert Comment

ID: 33452444
Judging by your question, it would be best practice to put certain policies in place. I would strongly recommend Roaming User Profiles. This will allow users to logon to any PC and their Profiles will follow. The Profiles reside on the Server, this makes it secure. Things to look out for when setting up Roaming Profiles is that there is sufficient space on the Server and also the client's desktops, because Roaming Profiles can grow quiet large.

Also regarding web filtering, you can look at this 2 ways - software filtering or hardware filtering. I would personally recommend software filtering. I use Webmarshal which is a very good product by M86 Security. It comes with GUI console and reports so you can view all active sessions on the net and then with reports you can see who is doing what on a chart basis. You can block any site you want, and you can configure who can access the internet and this works via a proxy which you can tie down through Group Policy. You can download a trial version for 30 days at no cost.

Author Comment

ID: 33452691
As I said, these people complain about a 3 second refresh of the Dentrix software!

There is NO POSSIBLE WAY that they will be OK will logging into PCs all day long.  Especially when the data that they need to access takes a shorter time to pull up than logging in does.

Raoming profiles for all employees is NOT an option for this environment..  

I looked at Webmarshal's site and saw no prices.  That generally means that it will be too expensive for what it offers and for what they need.  I hate companies that are afraid to put their prices online and won;t even bother to test their software.

The Integard product is only $185 for 10 users per year.  Very reasonable.  I will test it today.
LVL 24

Accepted Solution

Mike Thomas earned 2000 total points
ID: 33452707
@cerksees It sound like what you want to do is perfectly reasonable and web marshall is a great product but will be pricey.
LVL 32

Expert Comment

ID: 33453101
The reality is that a true roaming profile requires AD and there is no way around this if you want desktop and data to properly follow a user or group of users.

That being said, I think it's time you present a different solution.  The solution is virtual desktops. The workstations that re currently in the office become thin clients(sort of).  You would then implement XenDesktop(free for up to 10 users and a XenServer also free)  By doing this, each user can leave their desktop profile running and it will always be available to them.


Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month11 days, 19 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question