laptop users

hi everyone
I dont know if this is the right place to publish my question or not but any
way i hope you can answer me .
i am the administrator in my network . We was in a workgroup then we upgrade
to a domain . all users now in the network access the domain except laptop
users i didnt join them untill now .
the reason of this that i can not understand : how laptop users can access
their computers in the home. i think they can not , beacuse of they dont
connected to the domain .
if you tell me they can access to lacal machine without joining domain i
will tell you that i dont want them to be able to access their local machines
during the work .
so i want :
in the work : domain (ok) local (no) in the home : local (ok)
how can i configure this ?
thank you
youssef

Ok, I am a little thrown by the lack of punctuation and the rambling.

If I am hearing you correctly you have not joined the laptop users to the
domain because you do not think they can log in at home.

This is not the case. Once a user has successfully logged into their laptop
while connected to the domain, they will be able to log in regardless of the
state of their connection.

The laptop will cache their credentials.

For network and mail access it then customary to have a secure VPN establish
a connection back to the work place.

If the laptops are off the network for an extended period of time (i.e. not
locally connected or through a VPN) the machines account will get out of
sync with the machine account in the domain. The only quick and easy
solution I have found if to remove and rejoin the machine from the domain.
MS press even has a great book out that has some easy to customize scripts
so you can look like an it pro by "building" a domain rejoin tool.
-
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

There are 10 kinds of people in the world. Those who do understand binary
and those who don't.
"youssef" <(E-Mail Removed)> wrote in message
news:3EB1E449-5939-4BA6-BA1E-(E-Mail Removed)...
> hi everyone
> I dont know if this is the right place to publish my question or not but
> any
> way i hope you can answer me .
> i am the administrator in my network . We was in a workgroup then we
> upgrade
> to a domain . all users now in the network access the domain except laptop
> users i didnt join them untill now .
> the reason of this that i can not understand : how laptop users can access
> their computers in the home. i think they can not , beacuse of they dont
> connected to the domain .
> if you tell me they can access to lacal machine without joining domain i
> will tell you that i dont want them to be able to access their local
> machines
> during the work .
> so i want :
> in the work : domain (ok) local (no) in the home : local (ok)
> how can i configure this ?
> thank you
> youssef

Manny - We are using cached credential on my domain. I have sent some
laptops out to remote users. They say they do not have local admin
rights on their machines, though I set them up as members of a domain
group that has local admin rights.

They are logging onto the domain with cached credentials. I'm not sure
what's going wrong.

My companies common practice is to place the domain user acount directly in
the local admins group.

You could use a group for this, but you would effectively be giving the
users local admin rights on all the laptops.

Are you doing that last step directly on the laptops or are you adding them
to the local admin group on the domain controller?


--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

There are 10 kinds of people in the world. Those who do understand binary
and those who don't.
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Manny - We are using cached credential on my domain. I have sent some
> laptops out to remote users. They say they do not have local admin
> rights on their machines, though I set them up as members of a domain
> group that has local admin rights.
>
> They are logging onto the domain with cached credentials. I'm not sure
> what's going wrong.
>

on a domain conected work station there is a little arrow beside the domain
box, if you click on that the other option is the local machine. This one is
usefull for those who need access to the computer(like most of us) when
away from the office and the domain connection. I use that all the time for
setting up locked student accounts(I have no domain admin rights in this
district). Why not have them access the local machines durring work, if they
do they will have extremely limited access to domain resources.
Unfortunately I dont think there is a way that it can be stopped.

Jon
"youssef" <(E-Mail Removed)> wrote in message
news:3EB1E449-5939-4BA6-BA1E-(E-Mail Removed)...
> hi everyone
> I dont know if this is the right place to publish my question or not but
> any
> way i hope you can answer me .
> i am the administrator in my network . We was in a workgroup then we
> upgrade
> to a domain . all users now in the network access the domain except laptop
> users i didnt join them untill now .
> the reason of this that i can not understand : how laptop users can access
> their computers in the home. i think they can not , beacuse of they dont
> connected to the domain .
> if you tell me they can access to lacal machine without joining domain i
> will tell you that i dont want them to be able to access their local
> machines
> during the work .
> so i want :
> in the work : domain (ok) local (no) in the home : local (ok)
> how can i configure this ?
> thank you
> youssef

> Manny Borges
> MCSE NT4-2003 (+ Security)
> MCT, Certified Cheese Master
>
> There are 10 kinds of people in the world. Those who do understand binary
> and those who don't.
the other 101 dont care one way or another but 0xACE the exam any how

Jon
I know this is OT but I could not resist

Hi Manny, Thanks for your response. The reason we put users in a
domain group and add that group to the local admins on the machine is
so that we can easily remove the users' local admin privileges later.
The domain group is "installers" and we allow them to be in that group
for a brief time when they get their laptop, so they can load software
they need. Then we take them out of the group to prevent further damage
to the machine. My boss has said to absolutely NOT add the users'
individual accounts into the local admin group. The laptops are remote
and once the user is in the local admin group under his own account, we
may never be able to remove him from that group.

We are trying to find a fix that allows these users (non-technical
sales guys) to add the tools they needs (some packages from customers)
but not have permanent rights on the machine.