Computer in a Workgroup Access in a Domain Setting

TheMSsForum.com: The Microsoft Software Forum

I noticed that when a new computer is being built [Windows 2000, Windows XP
or even a Windows 2003], and before it is added to the domain, it can access
resources on a file server [a Windows 2000 server].
The domain is Windows 2003 functional.
How can that be tightened down?
Top

Re: Computer in a Workgroup Access in a Domain Setting by Phillip

Phillip
Tue Jun 21 11:18:21 CDT 2005

You will have to specifiy what "access resources" means. Just being able to
see the shares listed in Network Places or in Explorer is not the same as
accessing them. Any Workgroup machine can access shares if the right domain
credentials are manually given. Giving "Everyone" permission would not do
it because in the context of the domain "Everyone" means "Everyone on the
Domain" not "everyone in the world" so the "Everyone" on the Workgroup
machine would not fit into that.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"plane123" <plane123@discussions.microsoft.com> wrote in message
news:66F724E3-0057-4680-BAA1-5FBE62C081ED@microsoft.com...
> I noticed that when a new computer is being built [Windows 2000, Windows
XP
> or even a Windows 2003], and before it is added to the domain, it can
access
> resources on a file server [a Windows 2000 server].
> The domain is Windows 2003 functional.
> How can that be tightened down?


Top

Re: Computer in a Workgroup Access in a Domain Setting by plane123

plane123
Tue Jun 21 11:55:16 CDT 2005

Phillip,
Thank you for replying.
When I access resources, I mean I actually map a drive.
For instance I can map a drive to \\computer\c$ and it let's me in.
The user I'm logged into on the machine at the time is usually the local
admin on the box.

"Phillip Windell" wrote:

> You will have to specifiy what "access resources" means. Just being able to
> see the shares listed in Network Places or in Explorer is not the same as
> accessing them. Any Workgroup machine can access shares if the right domain
> credentials are manually given. Giving "Everyone" permission would not do
> it because in the context of the domain "Everyone" means "Everyone on the
> Domain" not "everyone in the world" so the "Everyone" on the Workgroup
> machine would not fit into that.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "plane123" <plane123@discussions.microsoft.com> wrote in message
> news:66F724E3-0057-4680-BAA1-5FBE62C081ED@microsoft.com...
> > I noticed that when a new computer is being built [Windows 2000, Windows
> XP
> > or even a Windows 2003], and before it is added to the domain, it can
> access
> > resources on a file server [a Windows 2000 server].
> > The domain is Windows 2003 functional.
> > How can that be tightened down?
>
>
>
Top

Re: Computer in a Workgroup Access in a Domain Setting by Shenan

Shenan
Tue Jun 21 12:23:24 CDT 2005

plane123 wrote:
> I noticed that when a new computer is being built [Windows 2000,
> Windows XP or even a Windows 2003], and before it is added to the
> domain, it can access resources on a file server [a Windows 2000
> server].
> The domain is Windows 2003 functional.
> How can that be tightened down?

Phillip Windell wrote:
> You will have to specifiy what "access resources" means. Just being
> able to see the shares listed in Network Places or in Explorer is
> not the same as accessing them. Any Workgroup machine can access
> shares if the right domain credentials are manually given. Giving
> "Everyone" permission would not do it because in the context of the
> domain "Everyone" means "Everyone on the Domain" not "everyone in
> the world" so the "Everyone" on the Workgroup machine would not fit
> into that.

plane123 wrote:
> When I access resources, I mean I actually map a drive.
> For instance I can map a drive to \\computer\c$ and it let's me in.
> The user I'm logged into on the machine at the time is usually the
> local admin on the box.

Look at the permissions on the file shares of your domain server. Are you
allowing only authenticated users to access them? If so - then only
somoneone passing proper domain credentials would be able to get to said
shares. This does NOT mean the machine(s) in questions have to be a member
of your domain to access the shares, just the users have to give their
domain credentials to do so.. (domain\username and password.)

That is assuming you mean \\computer\c$ is your domain servers and there
isn't a local user on the domain server (meaning it is not a DC) that has
the same username/password as the local user you are logged in as on the
computer in question.

--
Shenan Stanley
MS-MVP
--


Top