[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 353
  • Last Modified:

joined to a domain / removed from domain

A few questions.

1) How (in real basic management terminology) does a machine come to be joined to a corporate windows network domain? What process has to be taken for it to be added to the domain.

2) Or is it as simple as plugging in the network cable, - creating a domain user and then logging in as that user – and subsequently the machine the user logged in as is then automatically joined to the domain?

3) At the same time – what process has to be taken for a machine to be removed from the domain? Or can that be automatic? i.e. not logged into the domain for 6 months – it is removed from the domain?

4) Is it possible for a user a computer not joined to the domain to still access network resources, such as file servers, corporate intranet, internet service, exchange etc? If so how does that work?
0
pma111
Asked:
pma111
  • 12
  • 10
  • 2
  • +4
7 Solutions
 
Techn9cianCommented:
1.) Under computer properties you can change the computer to be on a domain instead of a workgroup.
2.) The machine would need to be added to the domain first manually before a domain user can log on or the domain will not show up in the list on the log on screen.
3.) You can manually remove the computer from active directory so that the computer is no longer on the domain or run a script to remove any computers that have not contacted the domain in a certain time frame.
4.) You can still access network resources by plugging directly into the network.
0
 
GovvyCommented:
1. http://technet.microsoft.com/en-us/library/bb456990.aspx

2. No, it requires a process either manual or via script by a domain Administrator

3. You could script this via NETDOM REMOVE command

4. Yes although domain credentials will need to be provided unless the resource is permissioned to allow access to EVERYONE instead of DOMAIN USERS group
0
 
pma111Author Commented:
Can you tell me the difference between a domain and a workground - and where a domain would be utilised as opposed to a workgroup? Prefer your comments as opposed links
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Paul MacDonaldDirector, Information SystemsCommented:
A domain is a centralized management entity.  A workgroup is a loosely aggregated bunch of computers.  

You would create a domain in order to manage a group of users, computers, and resources.  You would create a workgroup where you simply needed to share a few resources among computers.
0
 
pma111Author Commented:
>>2.) The machine would need to be added to the domain first manually before a domain user can log on or the domain will not show up in the list on the log on screen.


What does this process involve?
0
 
pma111Author Commented:
@paulmacd - so it essentially comes down to size?

Ie you wouldnt need a domain for a network of 20 users - but you would for a network of say 2000?
0
 
Techn9cianCommented:
What OS?
0
 
jgutz20Commented:
Well a domain will have a dedicated DNS Server, which will translate your local IP addresses of machines to  easier to remember names like DESKTOP01 or whatever.   Domain has more security, centralized management, single sign on,  etc.  Theres not really a short answer for this.

Workgroups are what a windows machine will use by default.  It will allow you to use the same netbios names instead of IP addresses but its each individual machines responsibility to broadcast their machine name and address, each machine manages file shares, passwords etc.  So unless you create the same user accounts on multiple machines, you will be typing in multiple passwords as you want to access shared objects.

Ohh and you must have win2000, XP Pro, Vista Pro/Ultimate, WIn7 Pro/Ultimate to join the domain, you cannot use a "home" operating system
0
 
pma111Author Commented:
dc's 2003 server
workstations xp
0
 
Paul MacDonaldDirector, Information SystemsCommented:
"What does this process involve?"
Depends on what you mean.  Adding a user  to a Windows domain involves using the "Users and Computers" utility on a domain controller to create a domain account.  

Adding a Windows computer to a domain involves (as [Techn9cian] noted) going to that computer, bringing up the properties for the machine and specifiying that it is to be a machine in the domain.  A person with administrative privileges in the domain has to do the joining.
0
 
pma111Author Commented:
So a network could contain both workgroups and 1/2 domains?

How can you identify all workgroups on the network?

0
 
Paul MacDonaldDirector, Information SystemsCommented:
"@paulmacd - so it essentially comes down to size?

Ie you wouldnt need a domain for a network of 20 users - but you would for a network of say 2000?
"

Occassionally, but not necessarily.  It really comes down to how much control you need/want to exert over the network and it's resources.  In this case, resources includes people, machines, shares, etc.  A domain is a management entity.  It gives you centralized control over the resources it contains.
0
 
SnibborgCommented:
A workgroup is a collection of computers that each have their own security policies.  For example, if you require one workstation to give access to a user on a different workstation, you would have to set up accounts with the same name and password on each workstation.  In other words, a lot of duplication of effort.

A domain allows you to control the behavior of a large number of servers and workstations from one central source.  So, to use the above analogy, if you wanted to get one person to share a folder with another user, you just add the user to the group to allow it.  Much more efficient for large numbers of computers where people are sharing and restricting data access.

Domains can do far more than this.  They allow people to log on to different computers without having to set up access in advance.  You can also use the domain to control the access that the users have to resources, for example if you do not wish to allow users to install software, this can be controlled by adjusting their group policy.

I could go on and on, but I'm sure this gives you a brief idea.  The crossover point between using workgroups as opposed to domains depends upon the data control, the number of users and the complexity of the network.

Snibborg
0
 
pma111Author Commented:
3) wht would you remove computers from a domain?

Can you provide a few reasons why this would be done?

Reason I ask is our auditors matched our hard copy inventory to all comps in ADUC console - and theres over 400 on our hard copy not on an all comps query in ADUC.

Trying to get head around why.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
"So a network could contain both workgroups and 1/2 domains?

How can you identify all workgroups on the network?
"

It could, but that seems redundant and...undesireable.

As to identifying workgroups, you'd need to know about them ahead of time.  As noted, there's no centralized management of workgroups.

0
 
Paul MacDonaldDirector, Information SystemsCommented:
"Reason I ask is our auditors matched our hard copy inventory to all comps in ADUC console - and theres over 400 on our hard copy not on an all comps query in ADUC.

Trying to get head around why.
"

It's possible old computers have been removed (physically) from the network, but have their Active Directory object still exist.  Active Directory wouldn't know to remove them, since Active Directory wouldn't know they weren't coming back.  It's a simple enough thing to simply right-click and delete the object in ADUC.
0
 
pma111Author Commented:
Hey - no I am saying we have 400 devices on a physical inventory that ARENT in the domain...
0
 
pma111Author Commented:
does the EVERYONE group = anyone with any machine with a corproate network cable plugged in?
0
 
x3manCommented:
  "does the EVERYONE group = anyone with any machine with a corproate network cable plugged in?"

Depends on the Server version as access in this way (without credentials) relies on the "anonymous" account.

For Windows Server 2008 "everyone" group identity:

http://technet.microsoft.com/en-us/magazine/dd637754.aspx

For Windows Server 2003, refer to:

http://technet.microsoft.com/en-us/library/cc780850(WS.10).aspx

So server 2003 and earlier "everyone" includes anonymous. 2008 does not.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Sorry, I didn't suss you had 400 nodes not in AD.  That's certainly possible, but probably not ideal.  Is it possible they belong to a different network?  Or perhaps they have a specialized job that doesn't require (or maybe makes them undesireable for) inclusion in Active Directory?

Everyone = anyone with access to the network.  This include people with AND WITHOUT accounts in Active Directory.

0
 
x3manCommented:
Sorry typo, meant to say "So earlier than server 2003 "everyone" includes anonymous. 2003/2008 does not."
0
 
pma111Author Commented:
50 are in a high security domain - so we have 350 to go.

Can you provide some examples on:

Or perhaps they have a specialized job that doesn't require (or maybe makes them undesireable for) inclusion in Active Directory?

Thanks Paul
0
 
pma111Author Commented:
so just to clarify re everyone.

if you have a share with everyone on the ACL. Does that mean anyone who plugs there own machine into the LAN can get at that share? Or as that share is on a server IN the domain - is that a compenstating control?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Maybe they're machines for running CNC equipment?  Maybe they're machines that are used for timeclocks?  Maybe they're used for CD duplication?  Maybe they're used for print servers?  Maybe they run the ventalation system?  That's the gist of what I'm thinking of.

Are these machines you can lay hands on?  Or are they just line items on an inventory somewhere?  If the later, is it possible they've been decommissioned and disposed of?  Or given to employees to take home (so they can work from home)?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
"if you have a share with everyone on the ACL. Does that mean anyone who plugs there own machine into the LAN can get at that share?"
Yes.  If you just want people with domain accounts to access those resources, you need to remove Everyone and share with Domain Users.
0
 
pma111Author Commented:
Yikes about they everyone group.

Thanks for the examples re non domain machines.

Back to point 3 of the OP

Can you give some examples why a machine would be removed from the domain - unless it was being physically disposed of?
0
 
pma111Author Commented:
And why wouldnt a print server be added to AD?
What would adding it to AD cause problem wise?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
I'm not saying a printer server wouldn't, just that -  as a utility machine and not something someone would normally log into - it might not be added to the domain.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
"Can you give some examples why a machine would be removed from the domain - unless it was being physically disposed of?"
Not really.  My other examples were machines where domain logins weren't neccissarily required.  If someone came to that realization for these others, they may have been removed for that reason.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 10
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now