Re: Computer in a Workgroup Access in a Domain Setting

From: Shenan Stanley (newshelper_at_gmail.com)
Date: 06/21/05 

Date: Tue, 21 Jun 2005 12:23:24 -0500

plane123 wrote:
> I noticed that when a new computer is being built [Windows 2000,
> Windows XP or even a Windows 2003], and before it is added to the
> domain, it can access resources on a file server [a Windows 2000
> server].
> The domain is Windows 2003 functional.
> How can that be tightened down?

Phillip Windell wrote:
> You will have to specifiy what "access resources" means. Just being
> able to see the shares listed in Network Places or in Explorer is
> not the same as accessing them. Any Workgroup machine can access
> shares if the right domain credentials are manually given. Giving
> "Everyone" permission would not do it because in the context of the
> domain "Everyone" means "Everyone on the Domain" not "everyone in
> the world" so the "Everyone" on the Workgroup machine would not fit
> into that.

plane123 wrote:
> When I access resources, I mean I actually map a drive.
> For instance I can map a drive to \\computer\c$ and it let's me in.
> The user I'm logged into on the machine at the time is usually the
> local admin on the box.

Look at the permissions on the file shares of your domain server. Are you
allowing only authenticated users to access them? If so - then only
somoneone passing proper domain credentials would be able to get to said
shares. This does NOT mean the machine(s) in questions have to be a member
of your domain to access the shares, just the users have to give their
domain credentials to do so.. (domain\username and password.)

That is assuming you mean \\computer\c$ is your domain servers and there
isn't a local user on the domain server (meaning it is not a DC) that has
the same username/password as the local user you are logged in as on the
computer in question. 

-- 
Shenan Stanley
     MS-MVP
--

Relevant Pages