Re: What is the difference between logging into an AD Domain versus connecting to network resource?
- From: "Ondrej Sevecek" <ondra at my_surname dot com>
- Date: Fri, 27 Jan 2006 12:20:32 +0100
simply:
The term "domain" means nothing than the "central database of user
names/passwords". The fact that a computer is "a member of a domain" means
exactly only the fact "my computer allowes access to anybody, who provides
login/pwd that is not stored in my local database, but in the central
database".
When you log on, you can provide either login/pwd that is stored locally -
local logon - then your computer consults its local registry, searching
whether there is the login and the correct password. It it is really there,
the user can access the computer.
When you log on by using a login/pwd that is stored in the central database
(the database is called "domain"), your computer finds appropriate server
that holds the database (domain controler) and sends there the provided
login/pwd. The domain controller tries to find the credentials in its own
database and if it is sucessfull, returns back "ok, the user is ok". Bacause
your computer "trusts" the central database server, it allowes you access
the same way as with your local account.
When you try to access a remote resource, you will always have to provide
your login/pwd that can be checked on the remote computer. So imagine, you
access shared file on another computer.
Your system sends there your login/pwd you previously provided when logging
on (it stores it for the whole time you are logged on).
The remote computer checks the credentials the same way as it would do when
you log on it locally - checks either its own registry or its configured
central database.
If the information is not correct - the user either does not exist, has been
denied access or so, you are provided with the login/pwd dialog box to write
a different set of credentials.
thats all.
O.
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OMLbjGwIGHA.1180@xxxxxxxxxxxxxxxxxxxxxxx
> That is a fairly broad question.
>
> One way to look at things that might help runs . . .
>
> To use resources you are alway authenticated first,
> which is the process of verifying who you are, that
> you are "allowed" to use the account you are trying
> to use. Following this, there is then an authorization
> check to see if this "you" (the authenticated account)
> is allowed to do what it is trying to do.
>
> When one has logged into a domain member with a
> domain account, the authentication took place at a
> domain controller. In this case the "you" is an account
> that all domain members recognize and all will trust (as
> they trust the decisions of the domain controllers).
> When one has logged into a domain member with a local
> account, or to an non-domain member (whether with a
> local account or a domain account if in a non-trusted
> domain) the "you" is something about which machines
> in the domain know nothing and the authorization was
> by an authority in which they place no trust. In other
> words, that "you" is nobody to them.
>
> So, when the current login is with recognized credentials
> the accessed machine only needs to do the authorization
> for the attempted access. However, if the "you" is nobody
> to the accessed machine then it needs to start at square
> one and first find out who is attempting access (and so it
> issues an authentication prompting).
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
> "JLeste" <anyone@xxxxxxxxxxxx> wrote in message
> news:uQL24$rIGHA.3000@xxxxxxxxxxxxxxxxxxxxxxx
>> Can someone explain the difference between logging on to a computer that
>> is part of an Active Directory domain using an Active Directory user
>> account, versus logging on to a local computer and then connecting to a
>> network resource (where the user is then prompted for network
>> credentials). i.e. a user logs into his/her home computer and then VPNs
>> into the work network).
>>
>> Or a slightly different scenario, where a user logs into his/her laptop
>> (that is part of the domain) offline, but then VPNs into the network afer
>> they have logged in using locally cached credentials. I know for instance
>> that group polices (user) aren't processed in either scenario, but
>> realized I didn't entirely understand why. Or why when I logon to the
>> domain from a domain member computer I can access resources from various
>> servers with no prompting for credentials, where as from a non-domain
>> computer I am prompted each time I try to access a different resource.
>>
>> Thanks
>>
>
>
.
- References:
- Prev by Date: Re: building a web site
- Next by Date: Re: building a web site
- Previous by thread: Re: What is the difference between logging into an AD Domain versus connecting to network resource?
- Next by thread: Re: What is the difference between logging into an AD Domain versus connecting to network resource?
- Index(es):
Relevant Pages
|
