Re: What is the difference between logging into an AD Domain versus connecting to network resource?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 26 Jan 2006 22:22:10 -0700
That is a fairly broad question.
One way to look at things that might help runs . . .
To use resources you are alway authenticated first,
which is the process of verifying who you are, that
you are "allowed" to use the account you are trying
to use. Following this, there is then an authorization
check to see if this "you" (the authenticated account)
is allowed to do what it is trying to do.
When one has logged into a domain member with a
domain account, the authentication took place at a
domain controller. In this case the "you" is an account
that all domain members recognize and all will trust (as
they trust the decisions of the domain controllers).
When one has logged into a domain member with a local
account, or to an non-domain member (whether with a
local account or a domain account if in a non-trusted
domain) the "you" is something about which machines
in the domain know nothing and the authorization was
by an authority in which they place no trust. In other
words, that "you" is nobody to them.
So, when the current login is with recognized credentials
the accessed machine only needs to do the authorization
for the attempted access. However, if the "you" is nobody
to the accessed machine then it needs to start at square
one and first find out who is attempting access (and so it
issues an authentication prompting).
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"JLeste" <anyone@xxxxxxxxxxxx> wrote in message
news:uQL24$rIGHA.3000@xxxxxxxxxxxxxxxxxxxxxxx
> Can someone explain the difference between logging on to a computer that
> is part of an Active Directory domain using an Active Directory user
> account, versus logging on to a local computer and then connecting to a
> network resource (where the user is then prompted for network
> credentials). i.e. a user logs into his/her home computer and then VPNs
> into the work network).
>
> Or a slightly different scenario, where a user logs into his/her laptop
> (that is part of the domain) offline, but then VPNs into the network afer
> they have logged in using locally cached credentials. I know for instance
> that group polices (user) aren't processed in either scenario, but
> realized I didn't entirely understand why. Or why when I logon to the
> domain from a domain member computer I can access resources from various
> servers with no prompting for credentials, where as from a non-domain
> computer I am prompted each time I try to access a different resource.
>
> Thanks
>
.
- Follow-Ups:
- References:
- Prev by Date: Re: Windows 2003 security issue
- Next by Date: Re: Suggestions
- Previous by thread: What is the difference between logging into an AD Domain versus connecting to network resource?
- Next by thread: Re: What is the difference between logging into an AD Domain versus connecting to network resource?
- Index(es):
Relevant Pages
|
