Can you logon to a domain if your PC isn't a member of the domain.

Discussion in 'MCSE' started by Harvey Colwell, Nov 8, 2006.

  1. I came across a question on an exam preparation test. The answered indicated
    that a user could "log on" to the domain and have user based GPOs, in which
    their user account has allow-read and allow-apply rights, applied to their
    account even though there PC wasn't a member of the domain (stand-a-loan).

    My laptop isn't a member of any domain, but I often connect to domain
    resources at my customer's sties without any problem. Windows pops up a
    dialog for entering credentials. I simply have to enter a domain\userid and
    password. But of course, I'm simply authenticating against AD, I'm not
    logging into AD, and therefore, no login script is ever ran and no GPOs are
    ever applied.

    Does anyone know what this exam prep question was trying to say? Or are they
    just bowing wind?

    TIA
     
    Harvey Colwell, Nov 8, 2006
    #1
    1. Advertisements

  2. Harvey Colwell

    Guest Guest

    Logon script won't run because you are not logging onto the domain using
    Windows logon on your laptop. You are basically authenticated to use the
    resources of the domain. GPOs, if any, will apply to your account for sure.
    Try to delete a folder that you are not allowed to and you will see. The
    point of the answer is:
    1. Could a user logon to the domain ? Yes.
    2. Would GOPs be applied to the user? Yes. (don't pay attention to
    allow-read and allow-apply blah blah blah. Microsoft just want you to be
    confused that's all)
     
    Guest, Nov 8, 2006
    #2
    1. Advertisements


  3. I think you are confusing GPOs and NTFS/Share access rights. Access to
    resources are controlled by access rights. GPOs do things such as control
    which control panel applets show up, or which tabs are visible on the
    Internet Properties dialog, or password complexity, etc.

    If you read all of my post, I stated that you are only authenticating
    against Active Directory (or the local SAM as far as that's concerned).

    The local PC must apply the GPO. So my point is, if the PC isn't a member of
    the domain, why would it trust or even listen to what a Domian Controller is
    saying to do. (Of course I know its the other way around, the PC reads the
    GPOs from the SysVol share on its own. The DC doesn't push them out.)
     
    Harvey Colwell, Nov 8, 2006
    #3
  4. Harvey Colwell

    Guest Guest

    GPOs will be applied on the user account no matter what. You don't see the
    logon script running because you are authenticated yourself only not to logon
    to the computer. The same fact apply to IPSec or VPN connection. Let's say
    if you are trying to change your screen saver (which GPO doesn't allow you
    to), you are still able to change it on your laptop. However, if you are
    connect to the network via RDC, you will not be able to change it on the
    computer you are connected to.
    Another thing about the exam question, it doesn't say anything about your
    non-domain machine will have the GPOs applied directy from the domain, does
    it? In other words, you can copy the GPOs from the domain to your laptop and
    have it applied as long as you have "allow-read" and "allow-apply" rights.
    Make sense.
     
    Guest, Nov 9, 2006
    #4
  5. Harvey Colwell

    vickymakhija Guest

    HI harvey the script just wont run unless u login
    u r machine doesnt have any scripts so that is mere ly not possible
     
    vickymakhija, Nov 10, 2006
    #5
  6. Harvey Colwell

    FrisbeeĀ® Guest

    You named your script "Harvey?"
     
    FrisbeeĀ®, Nov 10, 2006
    #6
  7. Harvey Colwell

    Kline Sphere Guest

    HI harvey the script just wont run unless u login
    and named her keyboard 'broken'.

    Kline Sphere (Chalk) MCNGP #3
     
    Kline Sphere, Nov 10, 2006
    #7
  8. Harvey Colwell

    Terence Rabe Guest

    Hi Harvey,

    It is possible for certain settings in the computer portion of a GPO to
    apply to a laptop that is not in the domain... if the laptop was previously
    in the domain. The settings are cached and stay behind on the laptop. If the
    computer was _never_ in the domain then the computer settings in GPOs will
    not apply.

    If the user is challenged (as in the scenario you described) then it just an
    authentication, not a logon, so you're quite right in saying that GPO's and
    scripts are not applicable.

    However, I could use my home PC and log on the domain via remote desktop
    connection. Then the user and computer accounts are domain based and GPOs
    apply.

    Of course it's possible that the practice test was just plain wrong... I've
    seen that before.

    Terence
     
    Terence Rabe, Nov 10, 2006
    #8

  9. Same here. And this is the answer that I was expecting to get from everyone.



    My question had nothing to do with RDP. But even if it did, it would depend
    on whether or not the PC/Server you are RDPing into is a domain member or
    not.



    My question was about connecting to a domain resource, and getting prompted
    for credentials. This only happens if you don't have any already.
     
    Harvey Colwell, Nov 10, 2006
    #9
  10. Harvey Colwell

    Briscobar Guest

    IF? They're all challenged in one way or another.
     
    Briscobar, Nov 10, 2006
    #10
  11. Harvey Colwell

    BD[MCNGP] Guest

    Are they challenged? Or Gifted?
     
    BD[MCNGP], Nov 10, 2006
    #11
  12. Harvey Colwell

    Terence Rabe Guest

    You're welcome. Don't mind the clowns.
    Correct. But since you didn't quote the question I thought I'd cover all the
    bases :)
    Kinda. You would have credentials from logging on locally to a
    workgroup-based system, (if you're using any NT based OS...) just that the
    systems that are part of the domain will challenge you because they don't
    trust the access token generated by the SAM database on the workgroup
    client.

    HTH
    Terence
     
    Terence Rabe, Nov 11, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.