Results 1 to 8 of 8

Thread: Workgroup Auth on a domain

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Posts
    29

    Arrow Workgroup Auth on a domain

    We have a few systems of employee's that come into work. We want to allow them access to it, but we don't want to make them join the domain. Basically, we use a program that access files on \\domain\servername\filename.

    Does anyone know of a way to create a workgroup that can authenticate on the domain? I realize this idea wouldn't be the best security wise, but at this point the data that these people will be accessing won't be something that needs to be secure. Any ideas are appreciated.
    I have my CCNA and i'm currently working towards my CCNP and CSSP.

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Why not just use limited permissions\accounts???


    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Junior Member
    Join Date
    Aug 2006
    Posts
    29
    I looked through the GPO and google, and didn't see much information or help on how to do it. Not to mention there are more options in GPO that i knew about. Do you have any more information about that, or a link i could read?
    I have my CCNA and i'm currently working towards my CCNP and CSSP.

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    So you are not using these things now??

    http://technet2.microsoft.com/window...p/default.mspx

    There are several built in default GPO templates

    Best not to edit existing default policies...but to copy and create a new one...and then tweak from there...then apply the GP when creating the user

    Or

    Create a security group...called limited users...and then add your users to this group.

    Give the limited user group access to the folders you want them to have access to....

    Really depends on your existing setup.....and what services and access they need ....such as remote access, OWA, Internet etc???

    I like using security groups...for different roles or departments....asigning the groups the permissions ...and then adding or removing users as needed.

    MLF
    Last edited by morganlefay; December 7th, 2006 at 09:03 PM.
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Junior Member
    Join Date
    Aug 2006
    Posts
    29
    I understand what you mean in a way, but you do know that they are not on the domain? What you said makes sense to me if they were on the domain, but i'm not directly sure if that works for users that are not on it?

    edit: we are using GPO's, but very few of them. The previous network admin screwed up quite a few things, so we had to remove what we could at that time to get everything up and going.

    edit2: I think i have an idea after thinking about it for a sec, thanks for the idea. Will reply in a bit.
    Last edited by Zunger; December 7th, 2006 at 09:08 PM.
    I have my CCNA and i'm currently working towards my CCNP and CSSP.

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Why not create a limited users group and policy and then add users to and from as needed.

    Yes you will have to have them on the domain....I am not sure what the issue is adding them to the domain??

    But it would make them easier as a whole to manage....instead of individually.

    If you are worried about your network...dont let them "physically" plug into it....whether they are on your domain or not.

    I guess you can try and publish a shared folder on the server with everyone full access....and then have them connect via the IP address of the server using a unc path

    \\ipaddress\sharename

    Not sure that will work....cause I have no open shares like that.....and the only people that can access resources are "authenticated users"

    Are they going to be running an application....cause you may need some server resources that will not be available using an open share.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    Junior Member
    Join Date
    Aug 2006
    Posts
    29
    Theres odd reasons why they cannot be added to the domain. The idea i thought about above will not / does not work.

    I tried doing it through net share and giving everyone / that user access but it doesnt work. When i view it through wireshark, it shows \\computer name\username.

    So the real question would be, is there any way to make it so that through i can give file access to \\computer name\username through AD? so it doesn't have to be \\domain\computer name.

    Hope you understand what i mean. The original quote with a workgroup auth was just an idea that a fellow network admin suggested (not sure if he was blowing smoke) to me a few days ago.
    I have my CCNA and i'm currently working towards my CCNP and CSSP.

  8. #8
    If the clients are win2k or above you can map the drive with alternative credentials. Create one or more accounts in AD with permissions to the shared folder and then map the drive from the client.

    net use * \\computername\sharename "password" /USER:domainname\username

    I would suggest using multiple unique accounts with the above for auditing purposes.

    Alternatively you can enable the guest account in AD and give that account permissions to the folder. I'm not completely sure of the security implications of enabling this account and suggest investigating further before proceeding with this option. Enabling this account is generally seen as bad practice.

    Good luck!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •