Can you logon to a domain if your PC isn't a member of the domain.

Discussion in 'MCSE' started by Harvey Colwell, Nov 8, 2006.

  1. I came across a question on an exam preparation test. The answered indicated
    that a user could "log on" to the domain and have user based GPOs, in which
    their user account has allow-read and allow-apply rights, applied to their
    account even though there PC wasn't a member of the domain (stand-a-loan).

    My laptop isn't a member of any domain, but I often connect to domain
    resources at my customer's sties without any problem. Windows pops up a
    dialog for entering credentials. I simply have to enter a domain\userid and
    password. But of course, I'm simply authenticating against AD, I'm not
    logging into AD, and therefore, no login script is ever ran and no GPOs are
    ever applied.

    Does anyone know what this exam prep question was trying to say? Or are they
    just bowing wind?

    TIA
     
    Harvey Colwell, Nov 8, 2006
    #1
    1. Advertising

  2. "Harvey Colwell" wrote:

    > I came across a question on an exam preparation test. The answered indicated
    > that a user could "log on" to the domain and have user based GPOs, in which
    > their user account has allow-read and allow-apply rights, applied to their
    > account even though there PC wasn't a member of the domain (stand-a-loan).
    >
    > My laptop isn't a member of any domain, but I often connect to domain
    > resources at my customer's sties without any problem. Windows pops up a
    > dialog for entering credentials. I simply have to enter a domain\userid and
    > password. But of course, I'm simply authenticating against AD, I'm not
    > logging into AD, and therefore, no login script is ever ran and no GPOs are
    > ever applied.
    >
    > Does anyone know what this exam prep question was trying to say? Or are they
    > just bowing wind?
    >
    > TIA
    >
    >


    Logon script won't run because you are not logging onto the domain using
    Windows logon on your laptop. You are basically authenticated to use the
    resources of the domain. GPOs, if any, will apply to your account for sure.
    Try to delete a folder that you are not allowed to and you will see. The
    point of the answer is:
    1. Could a user logon to the domain ? Yes.
    2. Would GOPs be applied to the user? Yes. (don't pay attention to
    allow-read and allow-apply blah blah blah. Microsoft just want you to be
    confused that's all)
     
    =?Utf-8?B?RHJhZ29uIFdpdGhvdXQgV2luZ3M=?=, Nov 8, 2006
    #2
    1. Advertising

  3. "Dragon Without Wings" <> wrote in message
    news:...
    > Logon script won't run because you are not logging onto the domain using
    > Windows logon on your laptop. You are basically authenticated to use the
    > resources of the domain. GPOs, if any, will apply to your account for
    > sure.
    > Try to delete a folder that you are not allowed to and you will see. The
    > point of the answer is:
    > 1. Could a user logon to the domain ? Yes.
    > 2. Would GOPs be applied to the user? Yes. (don't pay attention to
    > allow-read and allow-apply blah blah blah. Microsoft just want you to be
    > confused that's all)



    I think you are confusing GPOs and NTFS/Share access rights. Access to
    resources are controlled by access rights. GPOs do things such as control
    which control panel applets show up, or which tabs are visible on the
    Internet Properties dialog, or password complexity, etc.

    If you read all of my post, I stated that you are only authenticating
    against Active Directory (or the local SAM as far as that's concerned).

    The local PC must apply the GPO. So my point is, if the PC isn't a member of
    the domain, why would it trust or even listen to what a Domian Controller is
    saying to do. (Of course I know its the other way around, the PC reads the
    GPOs from the SysVol share on its own. The DC doesn't push them out.)
     
    Harvey Colwell, Nov 8, 2006
    #3
  4. Re: Can you logon to a domain if your PC isn't a member of the dom

    "Harvey Colwell" wrote:

    > I think you are confusing GPOs and NTFS/Share access rights. Access to
    > resources are controlled by access rights. GPOs do things such as control
    > which control panel applets show up, or which tabs are visible on the
    > Internet Properties dialog, or password complexity, etc.
    >
    > If you read all of my post, I stated that you are only authenticating
    > against Active Directory (or the local SAM as far as that's concerned).
    >
    > The local PC must apply the GPO. So my point is, if the PC isn't a member of
    > the domain, why would it trust or even listen to what a Domian Controller is
    > saying to do. (Of course I know its the other way around, the PC reads the
    > GPOs from the SysVol share on its own. The DC doesn't push them out.)
    >
    >
    >

    GPOs will be applied on the user account no matter what. You don't see the
    logon script running because you are authenticated yourself only not to logon
    to the computer. The same fact apply to IPSec or VPN connection. Let's say
    if you are trying to change your screen saver (which GPO doesn't allow you
    to), you are still able to change it on your laptop. However, if you are
    connect to the network via RDC, you will not be able to change it on the
    computer you are connected to.
    Another thing about the exam question, it doesn't say anything about your
    non-domain machine will have the GPOs applied directy from the domain, does
    it? In other words, you can copy the GPOs from the domain to your laptop and
    have it applied as long as you have "allow-read" and "allow-apply" rights.
    Make sense.
     
    =?Utf-8?B?RHJhZ29uIFdpdGhvdXQgV2luZ3M=?=, Nov 9, 2006
    #4
  5. Harvey Colwell

    vickymakhija Guest

    HI harvey the script just wont run unless u login
    u r machine doesnt have any scripts so that is mere ly not possible





    Harvey Colwell wrote:
    > I came across a question on an exam preparation test. The answered indicated
    > that a user could "log on" to the domain and have user based GPOs, in which
    > their user account has allow-read and allow-apply rights, applied to their
    > account even though there PC wasn't a member of the domain (stand-a-loan).
    >
    > My laptop isn't a member of any domain, but I often connect to domain
    > resources at my customer's sties without any problem. Windows pops up a
    > dialog for entering credentials. I simply have to enter a domain\userid and
    > password. But of course, I'm simply authenticating against AD, I'm not
    > logging into AD, and therefore, no login script is ever ran and no GPOs are
    > ever applied.
    >
    > Does anyone know what this exam prep question was trying to say? Or are they
    > just bowing wind?
    >
    > TIA
     
    vickymakhija, Nov 10, 2006
    #5
  6. Harvey Colwell

    Frisbee® Guest

    "vickymakhija" <> wrote in message
    news:...
    >
    > HI harvey the script just wont run unless u login
    > u r machine doesnt have any scripts so that is mere ly not possible


    You named your script "Harvey?"
     
    Frisbee®, Nov 10, 2006
    #6
  7. Harvey Colwell

    Kline Sphere Guest

    >> HI harvey the script just wont run unless u login
    >> u r machine doesnt have any scripts so that is mere ly not possible

    >
    >You named your script "Harvey?"


    and named her keyboard 'broken'.

    Kline Sphere (Chalk) MCNGP #3
     
    Kline Sphere, Nov 10, 2006
    #7
  8. Harvey Colwell

    Terence Rabe Guest

    Hi Harvey,

    It is possible for certain settings in the computer portion of a GPO to
    apply to a laptop that is not in the domain... if the laptop was previously
    in the domain. The settings are cached and stay behind on the laptop. If the
    computer was _never_ in the domain then the computer settings in GPOs will
    not apply.

    If the user is challenged (as in the scenario you described) then it just an
    authentication, not a logon, so you're quite right in saying that GPO's and
    scripts are not applicable.

    However, I could use my home PC and log on the domain via remote desktop
    connection. Then the user and computer accounts are domain based and GPOs
    apply.

    Of course it's possible that the practice test was just plain wrong... I've
    seen that before.

    Terence
    ---
    "Harvey Colwell" <> wrote in message
    news:...
    >I came across a question on an exam preparation test. The answered
    >indicated that a user could "log on" to the domain and have user based
    >GPOs, in which their user account has allow-read and allow-apply rights,
    >applied to their account even though there PC wasn't a member of the domain
    >(stand-a-loan).
    >
    > My laptop isn't a member of any domain, but I often connect to domain
    > resources at my customer's sties without any problem. Windows pops up a
    > dialog for entering credentials. I simply have to enter a domain\userid
    > and password. But of course, I'm simply authenticating against AD, I'm not
    > logging into AD, and therefore, no login script is ever ran and no GPOs
    > are ever applied.
    >
    > Does anyone know what this exam prep question was trying to say? Or are
    > they just bowing wind?
    >
    > TIA
    >
    >
     
    Terence Rabe, Nov 10, 2006
    #8
  9. "Terence Rabe" <mct@hotmail in the UK> wrote in message
    news:...
    > Hi Harvey,
    >
    > Of course it's possible that the practice test was just plain wrong...
    > I've seen that before.
    >



    Same here. And this is the answer that I was expecting to get from everyone.



    My question had nothing to do with RDP. But even if it did, it would depend
    on whether or not the PC/Server you are RDPing into is a domain member or
    not.



    My question was about connecting to a domain resource, and getting prompted
    for credentials. This only happens if you don't have any already.
     
    Harvey Colwell, Nov 10, 2006
    #9
  10. Harvey Colwell

    Briscobar Guest

    "Terence Rabe" <mct@hotmail in the UK> wrote in message
    news:...
    >
    > If the user is challenged


    IF? They're all challenged in one way or another.
     
    Briscobar, Nov 10, 2006
    #10
  11. Harvey Colwell

    BD[MCNGP] Guest

    "Briscobar" <> wrote in message
    news:...
    >
    > "Terence Rabe" <mct@hotmail in the UK> wrote in message
    > news:...
    >>
    >> If the user is challenged

    >
    > IF? They're all challenged in one way or another.

    Are they challenged? Or Gifted?
     
    BD[MCNGP], Nov 10, 2006
    #11
  12. Harvey Colwell

    Terence Rabe Guest

    "Harvey Colwell" <> wrote in message
    news:...
    > "Terence Rabe" <mct@hotmail in the UK> wrote in message
    > news:...
    >> Hi Harvey,
    >>
    >> Of course it's possible that the practice test was just plain wrong...
    >> I've seen that before.

    >
    > Same here. And this is the answer that I was expecting to get from
    > everyone.

    You're welcome. Don't mind the clowns.

    > My question had nothing to do with RDP. But even if it did, it would
    > depend on whether or not the PC/Server you are RDPing into is a domain
    > member or not.

    Correct. But since you didn't quote the question I thought I'd cover all the
    bases :)

    > My question was about connecting to a domain resource, and getting
    > prompted for credentials. This only happens if you don't have any already.

    Kinda. You would have credentials from logging on locally to a
    workgroup-based system, (if you're using any NT based OS...) just that the
    systems that are part of the domain will challenge you because they don't
    trust the access token generated by the SAM database on the workgroup
    client.

    HTH
    Terence
     
    Terence Rabe, Nov 11, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CJH
    Replies:
    0
    Views:
    1,971
  2. Graham
    Replies:
    0
    Views:
    747
    Graham
    Jan 24, 2004
  3. verity

    Less isn't more - it just isn't

    verity, Oct 7, 2006, in forum: Digital Photography
    Replies:
    28
    Views:
    721
    Bill Funk
    Oct 17, 2006
  4. Lookout
    Replies:
    10
    Views:
    560
    Lookout
    Dec 9, 2006
  5. Replies:
    2
    Views:
    3,841
Loading...

Share This Page