[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Can a single AD user be in use on multiple machines?

Posted on 2010-08-17
Medium Priority
Last Modified: 2012-05-10
I am new to server administration, and I have a small business with 10 PCs connected to a lan with a 2003 Server on the lan.

Currently we do not take advantage of AD and simply use the 2003 server as a file server with folders shared for everyone to access.

We do not need a separate login for each user.  In fact, that would be counter productive as the users float among the PCs in the office - following patients through the office.  Having to login to every workstation when they used it would slow them down.

I am looking into some software to filter web content and I would like for the owner to have a roaming login so that I can treat her differently than the employees.  Can I have a single AD entry for employee use and have it in use simultaneously on all 10 clients or is there a better way to do this (like assigning an account to each machine and using auto login or giving al logins the same password - since all employees need access to all workstations)?

I need to be able to treat the owner differently to give her separate restrictions when web surfing than the employees have.

Also, do you know of any resources that would explain roaming logins (how they work, how to admminister, etc.)?

Question by:cerksees
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 33452305
Yes, you can login on multiple computers but this way you lost many features of AD.
Why not use switch user on workstations ? Is not so time consumming...
LVL 24

Expert Comment

by:Mike Thomas
ID: 33452331
As above yes you can have multiple logins, by roaming logins i think you mean roamining profiles?, all this means is that the profiles is stored on a server and loads/saves to the server rather than a local PC, this means the profile can be loaded  to any PC from the server which will mean it is consistent between PC's that the user is logging onto. However changes are saved back to the server at log off so this might not work well with a single user account logged in to 10 workstations at once.


Expert Comment

ID: 33452333
There is no harm to use single AD account on multiple computers... It will not slow down anything.
The main disadvantage is security... ( If something happened, you cannot identify who done what task because single users granted to multiple logins)

Regarding Web filtering – You can opt for WEBSENCE ( AD integrated) or free ware open DNS

Rimming profile:

Let us know if you are more specific to know anythig?
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Expert Comment

ID: 33452348
yes you can.
LVL 12

Expert Comment

ID: 33452349
Using one account for everybody is OK and will work. Do not consider auto-logon for all workstations, that would be rather irresponsible.
If your patients are going near the PCs in the office, especially unattended, make sure to automatically lock workstations (read about Group Policy), and learn people how to use Windows+L to lock the PC when they step away from the desk. Even with a simple password, this will prevent curious people snooping and unlocking takes just a moment.

Author Comment

ID: 33452381
I am looking at Race River's Integard (http://www.raceriver.com/Integard_Professional.htm) as a possible solution for web filtering.  It isn;t too expensive and looks to be flexible in how it is used.

The reason I was asking about a roaming profile was for the owner.  She may sit at different computers - depending on what she needs to do.  And, she needs to be uniquely identified to allow Integard to give her a different set of web content filters than the employees.

This is a small dental office.  Ideally every computer would have the exact same desktop - as they all use the same software on all workstations.  But, in this dental office, the employees may sign a person in on one PC, do paperwork on another, scan xrays on a third then the doctors grab that info before doing work on a fourth PC.

The employees are all over the office and the pace is very hectic.  They are all about getting people seen quickly.  Having to log into each PC to work would be unacceptable and unenforcable - there would be no way to tell when they walked away from one desktop to another and they would all simply begin to use one another's logins and just stay logged in at one workstation for the day.

The main goal here is to give the owner a way to differentiate her login on the network for web content filtering.  Also, it would be great to have every desktop the same, but I am not sure how to accomplish that short of a roaming profile - which would probably not work logged in to 10 client workstations at the same time.

As for it not being time consuming to log into a workstation....the employess complain about waiting for a database refresh for 3 seconds.  So it would be a nightmare for them.
LVL 15

Expert Comment

ID: 33452444
Judging by your question, it would be best practice to put certain policies in place. I would strongly recommend Roaming User Profiles. This will allow users to logon to any PC and their Profiles will follow. The Profiles reside on the Server, this makes it secure. Things to look out for when setting up Roaming Profiles is that there is sufficient space on the Server and also the client's desktops, because Roaming Profiles can grow quiet large.

Also regarding web filtering, you can look at this 2 ways - software filtering or hardware filtering. I would personally recommend software filtering. I use Webmarshal which is a very good product by M86 Security. It comes with GUI console and reports so you can view all active sessions on the net and then with reports you can see who is doing what on a chart basis. You can block any site you want, and you can configure who can access the internet and this works via a proxy which you can tie down through Group Policy. You can download a trial version for 30 days at no cost.

Author Comment

ID: 33452691
As I said, these people complain about a 3 second refresh of the Dentrix software!

There is NO POSSIBLE WAY that they will be OK will logging into PCs all day long.  Especially when the data that they need to access takes a shorter time to pull up than logging in does.

Raoming profiles for all employees is NOT an option for this environment..  

I looked at Webmarshal's site and saw no prices.  That generally means that it will be too expensive for what it offers and for what they need.  I hate companies that are afraid to put their prices online and won;t even bother to test their software.

The Integard product is only $185 for 10 users per year.  Very reasonable.  I will test it today.
LVL 24

Accepted Solution

Mike Thomas earned 2000 total points
ID: 33452707
@cerksees It sound like what you want to do is perfectly reasonable and web marshall is a great product but will be pricey.
LVL 32

Expert Comment

ID: 33453101
The reality is that a true roaming profile requires AD and there is no way around this if you want desktop and data to properly follow a user or group of users.

That being said, I think it's time you present a different solution.  The solution is virtual desktops. The workstations that re currently in the office become thin clients(sort of).  You would then implement XenDesktop(free for up to 10 users and a XenServer also free)  By doing this, each user can leave their desktop profile running and it will always be available to them.


Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question