Logging in to a domain versus using domain "resources"

I have what ought to be a simple question about domains.

I'm a programmer, but not a network expert by any means.

At our company, all 7 of our users have local logons (on their Windows 2000
and Windows XP computers) that use their names, not "Administrator", and
those user names are also set up in the server's Active Directory with the
same passwords that the users use as their local login passwords.

Most users "log in" to their local computers, and some might log in to the
domain. Question: What is the difference, effectively, between logging in
to the domain, and logging in to the local computer and still using domain
resources like shared folders?

We don't have any roaming profiles, there are no printers or other
"resources" set up in Active Directory (there is only one shared printer,
company-wide), there are no group policies, and everything is very simple
here. There is a one-to-one correspondence between computers and users.

Since the users can all use the shared printer, and the shared folders,
without re-entering their username and password, is there any real
difference between logging in locally and logging in to the domain?

Thanks for any help you can give me in understanding this.

David Walker

DWalker <(E-Mail Removed)> wrote:
> I have what ought to be a simple question about domains.
>
> I'm a programmer, but not a network expert by any means.
>
> At our company, all 7 of our users have local logons (on their
> Windows 2000 and Windows XP computers) that use their names, not
> "Administrator", and those user names are also set up in the server's
> Active Directory with the same passwords that the users use as their
> local login passwords.

This defeats one of the primary purposes of using Active
Directory....centralized account management.
>
> Most users "log in" to their local computers, and some might log in
> to the domain. Question: What is the difference, effectively,
> between logging in to the domain, and logging in to the local
> computer and still using domain resources like shared folders?

Right now, you're treating your domain like a workgroup. Your users
credentials happen to match the credentials on the server - this lets them
access whatever the domain accounts are granted permission to access. This
works, but isn't ideal. Your users can't change their own passwords, even.
>
> We don't have any roaming profiles, there are no printers or other
> "resources" set up in Active Directory (there is only one shared
> printer, company-wide),

Then why do you have AD?

> there are no group policies,

Yes there are ...you just aren't customizing any of them.

> and everything
> is very simple here. There is a one-to-one correspondence between
> computers and users.
> Since the users can all use the shared printer, and the shared
> folders, without re-entering their username and password, is there
> any real difference between logging in locally and logging in to the
> domain?

Group policies (including folder redirection), login scripts, centralized
account management (a single user ID and password, which the users
themselves would be able to change), for starters.
>
> Thanks for any help you can give me in understanding this.

It would be far better to log into the domain and use that account alone -
disable / delete the local accounts. You can copy the local accounts to the
domain accounts once they've logged in to the domain once on their
workstations; do this by logging in as an administrator & going to control
panel | system | Settings (profile) | copy to....

>
> David Walker