Re: xp pro / xp home / profiles
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/06/05
- Next message: Jeff Cochran: "Re: xp pro / xp home / profiles"
- Previous message: Laurent: "Re: Huge security hole in Kerio 2.1.5"
- In reply to: instauratio: "xp pro / xp home / profiles"
- Next in thread: Jeff Cochran: "Re: xp pro / xp home / profiles"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 6 Mar 2005 08:43:37 -0700
No, I do not feel you have been scattered in the posting.
Actually you cut to the heart of something people often
dance around but do not focus upon.
You are correct that one does not need to join a domain
in order to do most things involving interoperation with
the resources in the domain. What one needs is a domain
account, and only rarely must one also have a domain
joined machine. Now, use of a domain joined machine
can make things a little more transparent, if one logs in
with a domain account, but with XP that difference can
be lessened by use of the stored credentials capability
of the machine local account (in the properties of the
logged on account within the User Accounts control panel
applet).
As far as profiles go, it can be frustrating to have one
account configured just as desired and then find that one
must seemingly start over to get another account, required
because of a new security domain, all set up. You have
apparently discovered that the old account did not go
away when the machine was domain joined, although
the rules of the domain may have made it so that one
could not log in with it. Also, the old profile/account
should be there intact after disjoining from the domain.
There are tools and ways to more quickly transfer a
large part of one profile into a new account. A post
to the customize and/or general, or even the security_admin
newsgroups (the * part) at microsoft.public.windowsxp.*
would likely get you some pointers on doing as such.
Now, what people in my opinion dance around too often,
but do not examine, comes down to this. IMO if a machine
is going to be joined to a company's domain then that machine
should be provided by the company. When you join your own
laptop to a domain it is in effect no longer yours - it is possible
for it to become useless for your "personal" and/or "home" uses.
If they want you using mobile devices they should provide them.
Your private machine should not become an effective part of
their corporate assest - and this is not just a financial observation,
but one of information protection, yours and theirs, as well as one
of preservation of your private property in a form usable for
private purposes.
As you have mentioned, joining a domain is not really needed
for a large part of interoperation with a domain. But that is not
the real issue. A law firm, a health provider, a brokerage, a
bank, etc. all have legal requirements now that dictate the
securing of stored information. Letting machines that are not
within the control of the information protection strategy of the
firm become domain, or even just network, participants is not
in the better interest of meeting these legal requirements. And,
even where such laws do not apply, there are key corporate
information assests that can be all too easily placed at risk by
allowing such informal transit of uncontrolled machines.
One last comment. The versions are named for their intended
uses: Home edition and Professional edition. The differences
may not be apparent at first, but they are there. If one is going
to be using a laptop for business purposes it should IMO not
be running Home edition. So, in at least my view, you have not
wasted the money to get this upgraded. For an example, consider
the built-in EFS encryption that you can now exercise to control
access to the files stored on the machine - particularly important
on a business laptop relative to potential loss/theft. This feature
is not available in Home edition. (If you do use EFS, please be
certain to first review information on the MS website about
exporting the EFS certificate/key and about making a password
recovery disk for the accounts you use with EFS.)
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "instauratio" <instauratio@discussions.microsoft.com> wrote in message news:E5987EE8-BC08-488A-85D9-3AF88BA7AE10@microsoft.com... > I have just bought a laptop w/ homeXP. I created an account on the local > machine. A week later I upgraded to XPpro. I then made my laptop join a > domain. When I did this, it created an entirely new profile. > > I don't want a new profile, I spent the entire week setting up the profile I > have for the local machine. > > Also, it might have been a waste of money to upgrade to pro, as I can log in > and use the resources in the domain with no problems. > > If a user wants to use their own laptop for work at the office (this user is > a partner at a brokerage). Do they need to have pro? Since I was able to use > the network freely with a local machine login, what is the point of a domain > from security perspective? > > I hope I haven't been too scattered with my question, I'm having trouble > defining what I don't know. (which seems quite a bit). Thanks in advance. >
- Next message: Jeff Cochran: "Re: xp pro / xp home / profiles"
- Previous message: Laurent: "Re: Huge security hole in Kerio 2.1.5"
- In reply to: instauratio: "xp pro / xp home / profiles"
- Next in thread: Jeff Cochran: "Re: xp pro / xp home / profiles"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
