[nflug] I am windows inept

Thu Jul 3 10:09:48 EDT 2008

Think along the lines of scalability.  If I have to manage 20 users on 30
machines I can do it either locally or with a domain.  

Now a new user joins the group.  I can add this account to each machine
locally (touch 30 machines... ugly) or just add them to the domain once and
add them to groups so they get their proper permissions, policies etc.....

Or you have to change a compromised password..... on 30 machines.....
quickly becomes a nightmare...

Now scale this up to 25,000 users on 10,000 machines in multiple locations,
it quickly becomes the only reasonable way to control and provision users.

This is the same reason you would use NIS/LDAP/Kerberos or any other
centralized user authentication and authorization management system.

Does this help???

Jason Lasker
Senior Project Manager/Systems Administrator
Science and Engineering Node Services
University at Buffalo 
113 Bell Hall
Buffalo, NY 14260-2050
voice:  (716) 645-3797 x2172
fax:      (716) 645-3704
email:  lasker at eng.buffalo.edu

-----Original Message-----
From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
Cyber Source
Sent: Thursday, July 03, 2008 9:57 AM
To: nflug at nflug.org
Subject: Re: [nflug] I am windows inept

There always has to be at least 1 "local" account  in both windows and 
Linux, this local account is either the administrator (windows, even 
though it may just show the user name, that user will have full admin 
rights if it's the only user on the box) or user with sudo or root (LInux).
Now, this same pc can then join a domain. This domain can be on the 
local network, remote network, vpn, etc..
Domains are a way to have more control for network administrators. When 
the pc joins a domain, the current user may have script run via the 
domain, network access only available when on the domain, user desktop 
settings, etc, etc,.

The reasoning for setting up a domain would be to have more control over 
a network. If anyone would like to add to this explanation, please do.

Eric Benoit wrote:
> ok.  So, what would be the point of joining a machine to a domain but 
> only having local accounts, or would you have both in case the Domain 
> server goes down?  Sorry, I'm just trying to find the reasoning, so I 
> can set up my systems here appropriately.
>
> Cyber Source wrote:
>> Yes, a "machine" with local accounts can also join a domain.
>>
>> Eric Benoit wrote:
>>> Cyber Source wrote:
>>>> 1. Domain Account;
>>>> When a pc is part of a domain, it's "machine" (pc name) name is 
>>>> used in part of the authentication process for joining the domain, 
>>>> along with user and password which obtain user and group permissions.
>>>> 2. User Account;
>>>> On the very same pc, you may also have a user account for using the 
>>>> pc without joining the domain, and based on permissions again, have 
>>>> access to whatever was granted by the admin of the pc.
>>> so what your saying in the above statement is a machine can be 
>>> "logged in" to the Domain, but still have local users?
>>>
>>>
>>>>
>>>> In this thinking, everyone is a "roaming" user, whether logging 
>>>> onto the pc or the domain.
>>>>
>>>> eric wrote:
>>>>> ok yes.
>>>>>
>>>>> Lets say I log into my domain called "ubuntu" with user "eric", 
>>>>> I'm not necessarily a roaming user however the machine is logged 
>>>>> into the domain with it said machine name "winxp" for example.
>>>>> Gathering what you said I should always create roaming users... 
>>>>> but what about adding a machine to the domain when would that be 
>>>>> necessary... or is it impossible to have roaming users on a 
>>>>> machine that was not added to a domain?
>>>>>
>>>>> thank you please keep going  :)
>>>>>
>>>>> Darin Perusich wrote:
>>>>>> When you say "machines with users" I'm going to assume that you 
>>>>>> mean local accounts on said workstation/laptop, and by "roaming 
>>>>>> users" network/domain users.
>>>>>>
>>>>>> IMHO in a networked environment where you have a domain 
>>>>>> controller there is almost never any reason for local user 
>>>>>> accounts with the exception of administrative accounts or local 
>>>>>> account which can perform admin tasks in the event the network 
>>>>>> user repository is unavailable. On Windows once you login to the 
>>>>>> system your domain username and password are cached temporarily 
>>>>>> which allows you to logoff, take the machine off-site and login 
>>>>>> with the domain account. You can do the same on Linux if you have 
>>>>>> certain pam modules installed.
>>>>>>
>>>>>> Eric Benoit wrote:
>>>>>>> Hi I configured an LDAP-Samba ADS which works perfectly now, 
>>>>>>> except I don't know that much about Windows and methods of 
>>>>>>> configuring workstations/users...
>>>>>>>
>>>>>>> I have my smb/ldap automatically adding machines when I 
>>>>>>> authenticate as admin and can add roaming users as well, but my 
>>>>>>> issue is I don't know if both can be the same...
>>>>>>>
>>>>>>> can a roaming user be apart of a machine... this doesn't seem 
>>>>>>> likely to me because they are both users in smb/ldap
>>>>>>>
>>>>>>> if this is true then my question would be..
>>>>>>>
>>>>>>> when should I use roaming users and when should I use machines 
>>>>>>> with users
>>>>>>>
>>>>>>> I would love to read something about this, but all the 
>>>>>>> documentation I can find is weighted towards setting up samba 
>>>>>>> and LDAP.
>>>>>>>
>>>>>>> Can anyone point me in the right direction?
>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> nflug mailing list
>>>>> nflug at nflug.org
>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>> _______________________________________________
>>>> nflug mailing list
>>>> nflug at nflug.org
>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>
>>> _______________________________________________
>>> nflug mailing list
>>> nflug at nflug.org
>>> http://www.nflug.org/mailman/listinfo/nflug
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug