Networks

Question

Gravatar
0 Votes
Locked

Authenticating with a Domain when not joined to the Domain

By Phill-d ·
Ok, the weirdest thing is happening with our desktop PC's at work. Up until a week ago, we were running a server 2003 domain with 10 servers and approx 75 XP desktops. The servers were joined to a domain but the desktops were not. As long as a user could log on to a desktop with the same account name and password as the one setup in active directory, the user could authenticate, connect to and list file shares and printers on any server.

Unfortunately, we began having problems with the hardware on our 2003 PDC and we had to migrate to a new 2008 PDC. After the upgrade, the desktops were no longer able to connect to shares on the servers.

We searched the web and found several answers that we did not find favorable, basically, because we had upgraded to 2008 domain, the XP desktops could not longer connect to the servers using NTLM authentication. We looked at adding anonymous users to folder and printer shares on the server but I didn?t like that idea for security reasons.

After hours of searching, we decided to bite the bullet and just join everyone to the domain after all; I had been wanting to do that for a long time. The only thing that was stopping us was upper management didn't like the idea of I.T. being able to connect to their computers over the network (oh the ignorance!)

So we began the work 2 days ago and running through the trials and tribulations of having users who previously had full access to their machines now only had limited access. Then we came to our first XP Home machine! Oh crap, XP home cannot join a domain, so we decided to try the file and printer shares again. We couldn't believe what we found.

When we went to add a printer and used \\servername\ ,the list of printers would show up. This is not working on the XP Pro desktops. Additionally, if we use the run option and enter \\ServerName\ ,the list of file shares will show up. Again, this does not work on the XP Pro desktops. We went to a couple of other XP HOME machines and found the situation got even weirder. All of them can list printer shares, but only some of them can list file shares. As far as their active directory user accounts goes, are all members of the same security groups and all are members of the same OU's with the same group policy permissions (not hat GP would be applicable if they aren't actually joined to the domain).

Can anybody tell me what might be happening here. I am happy we're finally getting on a domain but I am in deep poop if it is discovered that XP Home could continue to work as normal when I am telling management that they need to spend money to upgrade some PC's to Pro.

Thanks

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

gravatar
Collapse -

how to 'convert' Home into Pro

by robo_dev In reply to Authenticating with a Dom ...

While 'officially' XP home cannot be used to logon to an Active Directory domain. There's a way to effectively 'convert' Home into Pro, and it's not a EULA violation, AFAIK:

http://www.petri.co.il/forums/showthread.php?t=6868

If you have to fiddle with local security policy, Check out this utility:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm

the XP Home weirdness is either:

1) Local Policy Settings
2) Patch levels
3) Cached Credentials or wrong SID Cached
4) DNS issues if new DC is same name

In general, the tricky part is that the default security policy, and even the default roles and users, is totally different in home vs pro.

http://www.windowsnetworking.com/articles_tutorials/wxpdifs.html

gravatar
Collapse -

Solutions

by p.j.hutchison In reply to Authenticating with a Dom ...

1. NTLM is now replaced with NTLMv2, which is compatible with Vista and Windows 7. To allow NTLM, you need to change the Local Security Policy to allow you to use it if NTLMv2 does not work.
2. Also, if you are using muliple subnets, then to use Netbios names then I suggest installing a WINS service to allow Netbios short names to be reconsiled.
3. Yes, all XP Home must be upgraded to XP Pro to be used in a domain. XP Home is no good for use in commercial companies. We come across them at work and have to upgrade them to be useful in our work environment.

gravatar
Collapse -

Not quite the answer I was looking for,

by Phill-d In reply to Authenticating with a Dom ...

I was really looking for an answer as to why XP home will authenticate with the domain when it's not joined to the domain and XP pro will not.

Back to Networks Forum

Start or search

Related Discussions

Related Forums