Can you logon to a domain if your PC isn't a member of the domain.

I came across a question on an exam preparation test. The answered indicated
that a user could "log on" to the domain and have user based GPOs, in which
their user account has allow-read and allow-apply rights, applied to their
account even though there PC wasn't a member of the domain (stand-a-loan).

My laptop isn't a member of any domain, but I often connect to domain
resources at my customer's sties without any problem. Windows pops up a
dialog for entering credentials. I simply have to enter a domain\userid and
password. But of course, I'm simply authenticating against AD, I'm not
logging into AD, and therefore, no login script is ever ran and no GPOs are
ever applied.

Does anyone know what this exam prep question was trying to say? Or are they
just bowing wind?

TIA

Harvey Colwell

"Harvey Colwell" wrote:

> I came across a question on an exam preparation test. The answered indicated
> that a user could "log on" to the domain and have user based GPOs, in which
> their user account has allow-read and allow-apply rights, applied to their
> account even though there PC wasn't a member of the domain (stand-a-loan).
>
> My laptop isn't a member of any domain, but I often connect to domain
> resources at my customer's sties without any problem. Windows pops up a
> dialog for entering credentials. I simply have to enter a domain\userid and
> password. But of course, I'm simply authenticating against AD, I'm not
> logging into AD, and therefore, no login script is ever ran and no GPOs are
> ever applied.
>
> Does anyone know what this exam prep question was trying to say? Or are they
> just bowing wind?
>
> TIA
>
>

Logon script won't run because you are not logging onto the domain using
Windows logon on your laptop. You are basically authenticated to use the
resources of the domain. GPOs, if any, will apply to your account for sure.
Try to delete a folder that you are not allowed to and you will see. The
point of the answer is:
1. Could a user logon to the domain ? Yes.
2. Would GOPs be applied to the user? Yes. (don't pay attention to
allow-read and allow-apply blah blah blah. Microsoft just want you to be
confused that's all)

"Dragon Without Wings" <> wrote in message
news:BA1D2543-B8E0-4290-878E-...
> Logon script won't run because you are not logging onto the domain using
> Windows logon on your laptop. You are basically authenticated to use the
> resources of the domain. GPOs, if any, will apply to your account for
> sure.
> Try to delete a folder that you are not allowed to and you will see. The
> point of the answer is:
> 1. Could a user logon to the domain ? Yes.
> 2. Would GOPs be applied to the user? Yes. (don't pay attention to
> allow-read and allow-apply blah blah blah. Microsoft just want you to be
> confused that's all)


I think you are confusing GPOs and NTFS/Share access rights. Access to
resources are controlled by access rights. GPOs do things such as control
which control panel applets show up, or which tabs are visible on the
Internet Properties dialog, or password complexity, etc.

If you read all of my post, I stated that you are only authenticating
against Active Directory (or the local SAM as far as that's concerned).

The local PC must apply the GPO. So my point is, if the PC isn't a member of
the domain, why would it trust or even listen to what a Domian Controller is
saying to do. (Of course I know its the other way around, the PC reads the
GPOs from the SysVol share on its own. The DC doesn't push them out.)

"Harvey Colwell" wrote:

> I think you are confusing GPOs and NTFS/Share access rights. Access to
> resources are controlled by access rights. GPOs do things such as control
> which control panel applets show up, or which tabs are visible on the
> Internet Properties dialog, or password complexity, etc.
>
> If you read all of my post, I stated that you are only authenticating
> against Active Directory (or the local SAM as far as that's concerned).
>
> The local PC must apply the GPO. So my point is, if the PC isn't a member of
> the domain, why would it trust or even listen to what a Domian Controller is
> saying to do. (Of course I know its the other way around, the PC reads the
> GPOs from the SysVol share on its own. The DC doesn't push them out.)
>
>
>
GPOs will be applied on the user account no matter what. You don't see the
logon script running because you are authenticated yourself only not to logon
to the computer. The same fact apply to IPSec or VPN connection. Let's say
if you are trying to change your screen saver (which GPO doesn't allow you
to), you are still able to change it on your laptop. However, if you are
connect to the network via RDC, you will not be able to change it on the
computer you are connected to.
Another thing about the exam question, it doesn't say anything about your
non-domain machine will have the GPOs applied directy from the domain, does
it? In other words, you can copy the GPOs from the domain to your laptop and
have it applied as long as you have "allow-read" and "allow-apply" rights.
Make sense.

HI harvey the script just wont run unless u login
u r machine doesnt have any scripts so that is mere ly not possible





Harvey Colwell wrote:
> I came across a question on an exam preparation test. The answered indicated
> that a user could "log on" to the domain and have user based GPOs, in which
> their user account has allow-read and allow-apply rights, applied to their
> account even though there PC wasn't a member of the domain (stand-a-loan).
>
> My laptop isn't a member of any domain, but I often connect to domain
> resources at my customer's sties without any problem. Windows pops up a
> dialog for entering credentials. I simply have to enter a domain\userid and
> password. But of course, I'm simply authenticating against AD, I'm not
> logging into AD, and therefore, no login script is ever ran and no GPOs are
> ever applied.
>
> Does anyone know what this exam prep question was trying to say? Or are they
> just bowing wind?
>
> TIA

"vickymakhija" <> wrote in message
news: ups.com...
>
> HI harvey the script just wont run unless u login
> u r machine doesnt have any scripts so that is mere ly not possible

You named your script "Harvey?"

>> HI harvey the script just wont run unless u login
>> u r machine doesnt have any scripts so that is mere ly not possible
>
>You named your script "Harvey?"

and named her keyboard 'broken'.

Kline Sphere (Chalk) MCNGP #3

Hi Harvey,

It is possible for certain settings in the computer portion of a GPO to
apply to a laptop that is not in the domain... if the laptop was previously
in the domain. The settings are cached and stay behind on the laptop. If the
computer was _never_ in the domain then the computer settings in GPOs will
not apply.

If the user is challenged (as in the scenario you described) then it just an
authentication, not a logon, so you're quite right in saying that GPO's and
scripts are not applicable.

However, I could use my home PC and log on the domain via remote desktop
connection. Then the user and computer accounts are domain based and GPOs
apply.

Of course it's possible that the practice test was just plain wrong... I've
seen that before.

Terence
---
"Harvey Colwell" <> wrote in message
news:...
>I came across a question on an exam preparation test. The answered
>indicated that a user could "log on" to the domain and have user based
>GPOs, in which their user account has allow-read and allow-apply rights,
>applied to their account even though there PC wasn't a member of the domain
>(stand-a-loan).
>
> My laptop isn't a member of any domain, but I often connect to domain
> resources at my customer's sties without any problem. Windows pops up a
> dialog for entering credentials. I simply have to enter a domain\userid
> and password. But of course, I'm simply authenticating against AD, I'm not
> logging into AD, and therefore, no login script is ever ran and no GPOs
> are ever applied.
>
> Does anyone know what this exam prep question was trying to say? Or are
> they just bowing wind?
>
> TIA
>
>

"Terence Rabe" <mct@hotmail in the UK> wrote in message
news:...
> Hi Harvey,
>
> Of course it's possible that the practice test was just plain wrong...
> I've seen that before.
>


Same here. And this is the answer that I was expecting to get from everyone.



My question had nothing to do with RDP. But even if it did, it would depend
on whether or not the PC/Server you are RDPing into is a domain member or
not.



My question was about connecting to a domain resource, and getting prompted
for credentials. This only happens if you don't have any already.

"Terence Rabe" <mct@hotmail in the UK> wrote in message
news:...
>
> If the user is challenged

IF? They're all challenged in one way or another.