Real weird situation.

TheMSsForum.com: The Microsoft Software Forum

Hello,
I have been asked to setup the security for our application suite and
one setup in our lab causes me a great deal of headache!

In this setup there are 3 machines, machine A is the pdc, machine B and
machine C are normal worstation in the domain. All machines are running
windows 2000. As far as I can tell everything is configured OK on the
machines, not warning in the event viewers.... BUT

On the PDC (machine A) the domain administrator password is 'toto', on
machine B the local administrator also has its password set to 'toto'. So I
logon machine B as local administrator and then I run 'net group AGroup /ADD
/DOMAIN' and to my surprise that works. A new group is created in the
domain. If I go on the PDC, and the group has really been created. I don't
get it at all.

But if the administrator's password on machine B is different that the
domain administrator's password, the group is not created.

Can anyone help me to understand this one?

Thank you!

MP
Top

Real weird situation. by Russell

Russell
Wed Oct 22 11:30:53 CDT 2003


>-----Original Message-----

> But if the administrator's password on machine B is
different that the
>domain administrator's password, the group is not created.
>
> Can anyone help me to understand this one?
>


In order to 'domain administration' you need an account
that has domain access. The local administrator will not
general allow domain updates. What I think is happening is
when you do a domain update, the machine B tries to logon
as the domain admin using your local admin password. If
the passwords for the domain admin and local login are
different, the domain sign in fails. If you are logging
signin failures, it should show up in the log.
Top

Re: Real weird situation. by MP

MP
Wed Oct 22 15:38:56 CDT 2003

I guess this is what is happening.... But isn't that wrong?
What if I have a local user named 'UserA' and a domain user named 'UserA'...
then there are chances that the local 'UserA' can get into the domain as if
he was the domain 'UserA'.... given they have the same password...


I just think that this does not make sense....
Thank you for your reply.


"Russell" <newsgroup@paperdragon.ca> wrote in message
news:005b01c398b9$dc67d5b0$a401280a@phx.gbl...
>
> >-----Original Message-----
>
> > But if the administrator's password on machine B is
> different that the
> >domain administrator's password, the group is not created.
> >
> > Can anyone help me to understand this one?
> >
>
>
> In order to 'domain administration' you need an account
> that has domain access. The local administrator will not
> general allow domain updates. What I think is happening is
> when you do a domain update, the machine B tries to logon
> as the domain admin using your local admin password. If
> the passwords for the domain admin and local login are
> different, the domain sign in fails. If you are logging
> signin failures, it should show up in the log.


Top