Microsoft KB Archive/101232

= When a workstation joins a Windows NT domain =

Article ID: 101232

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Advanced Server 3.1
 * Microsoft Windows NT Workstation 3.1
 * Microsoft Windows NT Advanced Server 3.1

-



This article was previously published under Q101232



SUMMARY
This article covers the following information:
 * When a Workstation Joins a Windows NT Domain
 * Additional Notes on Joining Domains
 * Re-joining a Domain
 * Background on Windows NT Domains

When a Workstation Joins a Windows NT Domain
When a Windows NT workstation joins a domain, it appears in computer browsers under the domain name it just joined and is able to use and reference user accounts and global groups created in that domain. If the domain trusts other domains, the user accounts and global groups of those other trusted domains are also available for use on the workstation. Domain and trusted domain user accounts may be used to log on to the workstation or to allow remote connections to it, referenced to grant permissions to use resources such as a shared directory or printer, and referenced to grant user rights on the workstation.

When a workstation joins a Windows NT domain, the following things take place:
 * 1) The workstation shows up in computer browser lists as being within the domain, just as it does when it belongs to a workgroup.
 * 2) The workstation can use accounts and global groups (but not local groups) from its domain and from any domain that its domain trusts. (User accounts may be logged on to or used to remotely connect to the workstation; user accounts and global groups may be granted permissions to resources such as files, directories, printers, and may also be granted user rights in the User Manager).
 * 3) By default, the Domain Admins global group from the domain is added to the Administrators local group of the workstation, thus making the workstation remotely adminsterable by domain administrators.
 * 4) By default, the Domain Users global group from the domain is added to the Users local group of the workstation, thus making it possible for any user in the domain to log on or connect to the workstation.

Items 3 and 4 are merely default settings. These global groups may be removed from the respective local groups at any time by any administrator.

Additional Notes on Joining Domains

 * Workstations that are members of a domain may still have their own local user accounts and local groups and are still subject only to local security policies.
 * If a workstation doesn't belong to a domain, a local account must be maintained for every user that is to log on to or connect to the computer. By default, the Guest account is enabled, so that anybody can remotely connect to a Windows NT computer as a guest. They will only gain access to items which grant access permissions or user rights to the Guest account, the Guests local group, or to the Everyone "group". This is not the case with Windows NT Advanced Server, however. With Windows NT Advanced Server, the Guest account is disabled by default.

NOTE: On a Windows NT Advanced Server machine, the Guest account is disabled by default.
 * By default, the domain administrator can remotely or locally administer the workstation.
 * By default, the users of the domain can log on to the computer locally or connect to it remotely. Of course, all security protections are still in effect, so logging on or connecting to a workstation doesn't compromise protected information.
 * To make a workstation appear in the computer browser list along with other resources, all that is necessary is to add the computer to the workgroup. Note that a domain may be used as a workgroup by any Windows NT or Windows for Workgroups computer without having any security implications whatsoever.
 * Computers that are members of a domain or that use a domain as a workgroup will all show up in the Server Manager main window. To distinguish between computers that are members of a domain, filter the main window using the Show Domain Members Only option from the View menu. Also, workstations in the main window that appear grayed-out are members of the domain which are currently not turned on or are not running the Server service. Normal workstations in the main window are currently on and running the Server service, but may not be members of the domain. A computer account must be created in the Server Manager using the Computer Add to Domain command in order for a workstation to be added to the domain. It is possible for a domain administrator to perform this step during setup of the workstation.

Note Server Manager is available only with the Windows NT Advanced Server and the Windows NT Resource Kit.

Background on Windows NT Domains
Each workstation has its own user account and security database. Information such as the list of accounts, passwords, and group memberships are stored in this database as well as account, user rights, and audit policies. The main advantage of Windows NT Advanced Server domains is that they allow a set of computers to share the same user account and security information. For the Windows NT Advanced Server computers in a domain, the entire user account and security database is shared. So, accounts, global groups, and local groups are all shared by all Windows NT Advanced Servers in a domain. In addition, the account policies, user rights, audit policies, and trust relationships are all shared by all the servers. Windows NT workstations can access and use user accounts and global groups defined on the Windows NT Advanced Server domain that it is a member of or domains that its domain trusts. However, all local groups and security policies are controlled solely on the workstation and are not inherited from the domain.

Additional query words: wfw wfwg prodnt

Keywords: kbnetwork KB101232

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.