Domains and Workgroups

By Russ1973 ·
Here is the scenario i have.
I have a domain setup with around 100 users.
All of the PC's (Win XP Pro) are in a workgroup of the same name as the Domain.The way they access resources from the server(2003 R2) is their user accounts in AD match thier logins and passwords on the local machines. I now want to join them to the domain to be able to manage them more efficiently GP's etc. The infrastructure was already in place when i joined the company so i know it will be a huge job of moving all users accross
I have set up a test lab in my office with a server and a laptop with the same conditions but a different Domain and Workgroup name.
If i join the user to the Domain could i rejoin it to the Workgroup as stated in the above instance.

Any help appreciated as i am fairly new to this IT infrastructure.

Thanks in advance. Steve

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Workgroups & Domains each is a security boundry

by CG IT In reply to Domains and Workgroups

The workstation can only belong to one at one time.

Users who are logging in on the domain using a computer that is not a member of the domain doesn't sound right. Typically, the physical computer needs to have an account on the domain. The exception is remote access users. Even then a good security IT guy would have restrictions on just any ole computer connecting even if the user has the proper credentials.

Collapse -

RE:domain and workgroup

by Nimmo In reply to Domains and Workgroups

Like above a computer can only be a member of one or the other, you need to drop it out of a workgroup and into a domain and vice versa.

The setup is really strange been that all PC's that are been used on a domain should be members, even remote machines that use VPN access.

The only reason I would allow a computer access to the domain which it wasn't part of would be for Terminal Services via remote web workplace.

The only reason that I personally would put a computer in a workgroup with the same name as the domain and have a user account to match the AD account. Is that if you get a computer like XP home, or Vista home neither of them have the ability to join domains and this is the way around it.

Best to check what OS versions these computers are running before you start removing them from the workgroup, although it's pretty rare to find a home computer joined to a domain.

Collapse -

Local profiles

by Churdoo In reply to Domains and Workgroups

Agree with prior posts, and no need to continue to beat that carcus.

Moving forward, one of the first things you'll notice is that as soon as you join one of the workstations to the domain, and then log in as the user that's been using said workstation, is that he/she will get a brand new profile, absent of all of their settings, desktop, my documents, wallpaper, customizations, etc. The reason is, logging into the Domain user account has a different SID than the local user account even if the username is the same, and different SID means different account, and therefore different profile.

Once this profile is created, you can COPY the local (what you're calling workgroup) profile over the new Domain user profile and all of the users' settings will now be part of their Domain user profile. This is a step that you'll have to plan for and it can be time consuming depending on the size of a given user's local profile.

You did ask a question and the wording is a little strange so I'll try to clarify.
"If i join the user to the Domain could i rejoin it to the Workgroup as stated in the above instance"

Once the workstation is joined to the Domain, it is a member of the domain. However when a user logs in, there is the option in the LOGON dialogue to select the local computer (this computer) to log into the local machine versus the Domain account. This is actually the same as what you're calling the "workgroup."

Although I personally and I'm sure the other posters would agree, as soon as a workstation is joined to the Domain and you've copied the local user profile over the domain profile, I would DISABLE the local user account because I would NOT want the users logging into the local accounts any more.

Hope this is helpful.

Collapse -

Yep agree with Churdoo deny local login

by CG IT In reply to Local profiles

If you allow users to log in locally, and they have rights and permissions other than a standard user, all sorts of problems can crop up.

Collapse -

Totally agree

by Nimmo In reply to Yep agree with Churdoo d ...

Local login should only be available to the administrator. I can see now users logging into the domain then accidently logging in locally, next thing you hear is users missing data because it is spread across local and domain profiles.

Collapse -

Folder redirection

by Russ1973 In reply to Local profiles

Thanks for the advice, i have another query with regards to the folders in the local profile. Users at present store files in the My Documents and some profiles are over 1GB in size. My aim is to create roaming profiles for certain users within a group. This would cause traffic accross the network which is what i would like to avoid.
Can i redirect their My Docs and Desktop into a folder on the Server then create a seperate folder for their Profiles and include all other folders within the profile.

Collapse -

yes you can for both issues however

by CG IT In reply to Folder redirection

If the profile and my documents folder and all subfolder and files stored on the server then the profile is loaded up over the network and the user will always generate traffic on the network whenever they access, create or modify a document/file/etc stored in the My Documents folder.

Collapse -

Folder redirection

by Russ1973 In reply to yes you can for both issu ...

Thanks for the reply, i understand that there will be traffic when they load their profile. I am more concerned about when they login to their account, if i remove their My docs from the profile will it load up faster as this is the bulk of the size of their profile.
If i redirect this folder it will only create network traffic when they access it or make changes.
Also can i make the files available offline for laptops so when thay are not logged onto the Domain they can still access local cached files then sync up when connected back into the domain.

Related Discussions

Related Forums