[nflug] I am windows inept

Eric Benoit eric at bootz.us
Thu Jul 3 10:31:16 EDT 2008


Yes it does ...clearly roaming users is the way to go.

Thanks for the lesson and direction.

Jason Lasker wrote:
> Think along the lines of scalability.  If I have to manage 20 users on 30
> machines I can do it either locally or with a domain.  
>
> Now a new user joins the group.  I can add this account to each machine
> locally (touch 30 machines... ugly) or just add them to the domain once and
> add them to groups so they get their proper permissions, policies etc.....
>
> Or you have to change a compromised password..... on 30 machines.....
> quickly becomes a nightmare...
>
> Now scale this up to 25,000 users on 10,000 machines in multiple locations,
> it quickly becomes the only reasonable way to control and provision users.
>
> This is the same reason you would use NIS/LDAP/Kerberos or any other
> centralized user authentication and authorization management system.
>
> Does this help???
>
> Jason Lasker
> Senior Project Manager/Systems Administrator
> Science and Engineering Node Services
> University at Buffalo 
> 113 Bell Hall
> Buffalo, NY 14260-2050
> voice:  (716) 645-3797 x2172
> fax:      (716) 645-3704
> email:  lasker at eng.buffalo.edu
>
>
> -----Original Message-----
> From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
> Cyber Source
> Sent: Thursday, July 03, 2008 9:57 AM
> To: nflug at nflug.org
> Subject: Re: [nflug] I am windows inept
>
> There always has to be at least 1 "local" account  in both windows and 
> Linux, this local account is either the administrator (windows, even 
> though it may just show the user name, that user will have full admin 
> rights if it's the only user on the box) or user with sudo or root (LInux).
> Now, this same pc can then join a domain. This domain can be on the 
> local network, remote network, vpn, etc..
> Domains are a way to have more control for network administrators. When 
> the pc joins a domain, the current user may have script run via the 
> domain, network access only available when on the domain, user desktop 
> settings, etc, etc,.
>
> The reasoning for setting up a domain would be to have more control over 
> a network. If anyone would like to add to this explanation, please do.
>
> Eric Benoit wrote:
>   
>> ok.  So, what would be the point of joining a machine to a domain but 
>> only having local accounts, or would you have both in case the Domain 
>> server goes down?  Sorry, I'm just trying to find the reasoning, so I 
>> can set up my systems here appropriately.
>>
>> Cyber Source wrote:
>>     
>>> Yes, a "machine" with local accounts can also join a domain.
>>>
>>> Eric Benoit wrote:
>>>       
>>>> Cyber Source wrote:
>>>>         
>>>>> 1. Domain Account;
>>>>> When a pc is part of a domain, it's "machine" (pc name) name is 
>>>>> used in part of the authentication process for joining the domain, 
>>>>> along with user and password which obtain user and group permissions.
>>>>> 2. User Account;
>>>>> On the very same pc, you may also have a user account for using the 
>>>>> pc without joining the domain, and based on permissions again, have 
>>>>> access to whatever was granted by the admin of the pc.
>>>>>           
>>>> so what your saying in the above statement is a machine can be 
>>>> "logged in" to the Domain, but still have local users?
>>>>
>>>>
>>>>         
>>>>> In this thinking, everyone is a "roaming" user, whether logging 
>>>>> onto the pc or the domain.
>>>>>
>>>>> eric wrote:
>>>>>           
>>>>>> ok yes.
>>>>>>
>>>>>> Lets say I log into my domain called "ubuntu" with user "eric", 
>>>>>> I'm not necessarily a roaming user however the machine is logged 
>>>>>> into the domain with it said machine name "winxp" for example.
>>>>>> Gathering what you said I should always create roaming users... 
>>>>>> but what about adding a machine to the domain when would that be 
>>>>>> necessary... or is it impossible to have roaming users on a 
>>>>>> machine that was not added to a domain?
>>>>>>
>>>>>> thank you please keep going  :)
>>>>>>
>>>>>> Darin Perusich wrote:
>>>>>>             
>>>>>>> When you say "machines with users" I'm going to assume that you 
>>>>>>> mean local accounts on said workstation/laptop, and by "roaming 
>>>>>>> users" network/domain users.
>>>>>>>
>>>>>>> IMHO in a networked environment where you have a domain 
>>>>>>> controller there is almost never any reason for local user 
>>>>>>> accounts with the exception of administrative accounts or local 
>>>>>>> account which can perform admin tasks in the event the network 
>>>>>>> user repository is unavailable. On Windows once you login to the 
>>>>>>> system your domain username and password are cached temporarily 
>>>>>>> which allows you to logoff, take the machine off-site and login 
>>>>>>> with the domain account. You can do the same on Linux if you have 
>>>>>>> certain pam modules installed.
>>>>>>>
>>>>>>> Eric Benoit wrote:
>>>>>>>               
>>>>>>>> Hi I configured an LDAP-Samba ADS which works perfectly now, 
>>>>>>>> except I don't know that much about Windows and methods of 
>>>>>>>> configuring workstations/users...
>>>>>>>>
>>>>>>>> I have my smb/ldap automatically adding machines when I 
>>>>>>>> authenticate as admin and can add roaming users as well, but my 
>>>>>>>> issue is I don't know if both can be the same...
>>>>>>>>
>>>>>>>> can a roaming user be apart of a machine... this doesn't seem 
>>>>>>>> likely to me because they are both users in smb/ldap
>>>>>>>>
>>>>>>>> if this is true then my question would be..
>>>>>>>>
>>>>>>>> when should I use roaming users and when should I use machines 
>>>>>>>> with users
>>>>>>>>
>>>>>>>> I would love to read something about this, but all the 
>>>>>>>> documentation I can find is weighted towards setting up samba 
>>>>>>>> and LDAP.
>>>>>>>>
>>>>>>>> Can anyone point me in the right direction?
>>>>>>>>
>>>>>>>>                 
>>>>>> _______________________________________________
>>>>>> nflug mailing list
>>>>>> nflug at nflug.org
>>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>>             
>>>>> _______________________________________________
>>>>> nflug mailing list
>>>>> nflug at nflug.org
>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>           
>>>> _______________________________________________
>>>> nflug mailing list
>>>> nflug at nflug.org
>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>         
>>> _______________________________________________
>>> nflug mailing list
>>> nflug at nflug.org
>>> http://www.nflug.org/mailman/listinfo/nflug
>>>       
>> _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>     
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>   



More information about the nflug mailing list