Downgrade From Domain to WorkGroup

genusys used Ask the Experts™
I have a customer that has dropped to 3 users from 10 users. They have fairly new Windows  7 PC's. They want to decommission their 2003 server and go to a simple workgroup.   The customer only does Quickbooks locally.

What is the best approach to this. Un-Join them from the domain and join workgroup? Could I lose data this way? Their My Docs is not redirected.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Information Systems Security Engineer
Hello, genusys!

Have the users back up all documents and files from the server.

Then it really is just as simple as unjoining from the domain, and joining a workgroup.

However, you will need to manually apply any sort of local group policy settings that you want, as they will no longer have a domain to pull them from.
Sean Plemons Kelly, CISSPInformation Systems Security Engineer

Forgot one caveat!

Make sure the users have a local logon for their system (Right click Computer > Manage > Local Users and Groups > Users!
Joseph HornseyPresident and Janitor

It's actually going to be a little more complicated than that.

One of the biggest advantages of using Active Directory is a single account is used to access all resources on the network.  In a workgroup environment, that's not the case.

Each computer has a SAM (Security Accounts Manager) database which stores the accounts for that computer.  If not joined to a domain, the computer only uses its own SAM database for authentication - it doesn't have access to any other computer's database.

If a user on one computer tries to connect to a resource on a different computer, the source computer passes the user's credentials to the destination computer.  Since the destination computer can only see its own SAM database, it checks that to see if that user exists in its database and if it does, whether or not that user has access to the particular resource.

The end result is that for a user to access the resources on a different computer, that user must have an account on that other computer and the user name and password must match exactly.  If the password for that user expires on any of the computers, the user will no longer be able to access those resources because the logon will fail.

So, you've got three users... you'll need to set up user accounts for each user on each computer.  This means you're managing nine logons, not three.  And if you set a password expiration policy (which you should), each user will have to reset their password on all three computers at the same time when their password expires.

One workaround people use is to just have blank passwords for each user.  Not only is this a horrible idea for security reasons, but in later versions of Windows, you're no longer allowed to do this.

If you're accessing shared printers from the server, you'll need to either configure local ports on each computer or set up one of those computers in the workgroup to act as the print server.

Since you're using QuickBooks, you'll need to designate one of the workgroup computers as the QB server for multi-user hosting and make sure the database manager is installed there and the company files are shared.

Honestly, if the server is running fine, then leave it in place.  If this were a new customer of yours who had three users, recommending a server would be overkill.  But, if the server's already there, there's no need to remove it (unless the hardware's failing, or whatever).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial