Pau Lo
asked on
joined to a domain / removed from domain
A few questions.
1) How (in real basic management terminology) does a machine come to be joined to a corporate windows network domain? What process has to be taken for it to be added to the domain.
2) Or is it as simple as plugging in the network cable, - creating a domain user and then logging in as that user – and subsequently the machine the user logged in as is then automatically joined to the domain?
3) At the same time – what process has to be taken for a machine to be removed from the domain? Or can that be automatic? i.e. not logged into the domain for 6 months – it is removed from the domain?
4) Is it possible for a user a computer not joined to the domain to still access network resources, such as file servers, corporate intranet, internet service, exchange etc? If so how does that work?
1) How (in real basic management terminology) does a machine come to be joined to a corporate windows network domain? What process has to be taken for it to be added to the domain.
2) Or is it as simple as plugging in the network cable, - creating a domain user and then logging in as that user – and subsequently the machine the user logged in as is then automatically joined to the domain?
3) At the same time – what process has to be taken for a machine to be removed from the domain? Or can that be automatic? i.e. not logged into the domain for 6 months – it is removed from the domain?
4) Is it possible for a user a computer not joined to the domain to still access network resources, such as file servers, corporate intranet, internet service, exchange etc? If so how does that work?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>2.) The machine would need to be added to the domain first manually before a domain user can log on or the domain will not show up in the list on the log on screen.
What does this process involve?
What does this process involve?
ASKER
@paulmacd - so it essentially comes down to size?
Ie you wouldnt need a domain for a network of 20 users - but you would for a network of say 2000?
Ie you wouldnt need a domain for a network of 20 users - but you would for a network of say 2000?
What OS?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
dc's 2003 server
workstations xp
workstations xp
"What does this process involve?"
Depends on what you mean. Adding a user to a Windows domain involves using the "Users and Computers" utility on a domain controller to create a domain account.
Adding a Windows computer to a domain involves (as [Techn9cian] noted) going to that computer, bringing up the properties for the machine and specifiying that it is to be a machine in the domain. A person with administrative privileges in the domain has to do the joining.
Depends on what you mean. Adding a user to a Windows domain involves using the "Users and Computers" utility on a domain controller to create a domain account.
Adding a Windows computer to a domain involves (as [Techn9cian] noted) going to that computer, bringing up the properties for the machine and specifiying that it is to be a machine in the domain. A person with administrative privileges in the domain has to do the joining.
ASKER
So a network could contain both workgroups and 1/2 domains?
How can you identify all workgroups on the network?
How can you identify all workgroups on the network?
"@paulmacd - so it essentially comes down to size?
Ie you wouldnt need a domain for a network of 20 users - but you would for a network of say 2000? "
Occassionally, but not necessarily. It really comes down to how much control you need/want to exert over the network and it's resources. In this case, resources includes people, machines, shares, etc. A domain is a management entity. It gives you centralized control over the resources it contains.
Ie you wouldnt need a domain for a network of 20 users - but you would for a network of say 2000? "
Occassionally, but not necessarily. It really comes down to how much control you need/want to exert over the network and it's resources. In this case, resources includes people, machines, shares, etc. A domain is a management entity. It gives you centralized control over the resources it contains.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
3) wht would you remove computers from a domain?
Can you provide a few reasons why this would be done?
Reason I ask is our auditors matched our hard copy inventory to all comps in ADUC console - and theres over 400 on our hard copy not on an all comps query in ADUC.
Trying to get head around why.
Can you provide a few reasons why this would be done?
Reason I ask is our auditors matched our hard copy inventory to all comps in ADUC console - and theres over 400 on our hard copy not on an all comps query in ADUC.
Trying to get head around why.
"So a network could contain both workgroups and 1/2 domains?
How can you identify all workgroups on the network?"
It could, but that seems redundant and...undesireable.
As to identifying workgroups, you'd need to know about them ahead of time. As noted, there's no centralized management of workgroups.
How can you identify all workgroups on the network?"
It could, but that seems redundant and...undesireable.
As to identifying workgroups, you'd need to know about them ahead of time. As noted, there's no centralized management of workgroups.
"Reason I ask is our auditors matched our hard copy inventory to all comps in ADUC console - and theres over 400 on our hard copy not on an all comps query in ADUC.
Trying to get head around why."
It's possible old computers have been removed (physically) from the network, but have their Active Directory object still exist. Active Directory wouldn't know to remove them, since Active Directory wouldn't know they weren't coming back. It's a simple enough thing to simply right-click and delete the object in ADUC.
Trying to get head around why."
It's possible old computers have been removed (physically) from the network, but have their Active Directory object still exist. Active Directory wouldn't know to remove them, since Active Directory wouldn't know they weren't coming back. It's a simple enough thing to simply right-click and delete the object in ADUC.
ASKER
Hey - no I am saying we have 400 devices on a physical inventory that ARENT in the domain...
ASKER
does the EVERYONE group = anyone with any machine with a corproate network cable plugged in?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry, I didn't suss you had 400 nodes not in AD. That's certainly possible, but probably not ideal. Is it possible they belong to a different network? Or perhaps they have a specialized job that doesn't require (or maybe makes them undesireable for) inclusion in Active Directory?
Everyone = anyone with access to the network. This include people with AND WITHOUT accounts in Active Directory.
Everyone = anyone with access to the network. This include people with AND WITHOUT accounts in Active Directory.
Sorry typo, meant to say "So earlier than server 2003 "everyone" includes anonymous. 2003/2008 does not."
ASKER
50 are in a high security domain - so we have 350 to go.
Can you provide some examples on:
Or perhaps they have a specialized job that doesn't require (or maybe makes them undesireable for) inclusion in Active Directory?
Thanks Paul
Can you provide some examples on:
Or perhaps they have a specialized job that doesn't require (or maybe makes them undesireable for) inclusion in Active Directory?
Thanks Paul
ASKER
so just to clarify re everyone.
if you have a share with everyone on the ACL. Does that mean anyone who plugs there own machine into the LAN can get at that share? Or as that share is on a server IN the domain - is that a compenstating control?
if you have a share with everyone on the ACL. Does that mean anyone who plugs there own machine into the LAN can get at that share? Or as that share is on a server IN the domain - is that a compenstating control?
Maybe they're machines for running CNC equipment? Maybe they're machines that are used for timeclocks? Maybe they're used for CD duplication? Maybe they're used for print servers? Maybe they run the ventalation system? That's the gist of what I'm thinking of.
Are these machines you can lay hands on? Or are they just line items on an inventory somewhere? If the later, is it possible they've been decommissioned and disposed of? Or given to employees to take home (so they can work from home)?
Are these machines you can lay hands on? Or are they just line items on an inventory somewhere? If the later, is it possible they've been decommissioned and disposed of? Or given to employees to take home (so they can work from home)?
"if you have a share with everyone on the ACL. Does that mean anyone who plugs there own machine into the LAN can get at that share?"
Yes. If you just want people with domain accounts to access those resources, you need to remove Everyone and share with Domain Users.
Yes. If you just want people with domain accounts to access those resources, you need to remove Everyone and share with Domain Users.
ASKER
Yikes about they everyone group.
Thanks for the examples re non domain machines.
Back to point 3 of the OP
Can you give some examples why a machine would be removed from the domain - unless it was being physically disposed of?
Thanks for the examples re non domain machines.
Back to point 3 of the OP
Can you give some examples why a machine would be removed from the domain - unless it was being physically disposed of?
ASKER
And why wouldnt a print server be added to AD?
What would adding it to AD cause problem wise?
What would adding it to AD cause problem wise?
I'm not saying a printer server wouldn't, just that - as a utility machine and not something someone would normally log into - it might not be added to the domain.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER