Windows 2003 Active Directory and Windows NT/2000 Workgroup Server

Discussion in 'Windows Networking' started by =?Utf-8?B?RlAgRnJ1c3RyYXRlZA==?=, Mar 20, 2005.

  1. Does Windows 2003 AD trust a Windows NT/2000 Workgroup with the Same name as
    the Domain?

    I have 4 networks. 1 Windows 2003 AD Domain, and 3 Workgroup Subnetworks.
    Two users came from a subnetwork to the W2k3 AD Domain, and authenticated.
    Left and went back to their own Workgroup Server, and now cannot see/connect
    to shares on the workgroup server or a printer share on a workstation.

    Before the W2K3 AD Domain was a Windows NT 4.0 Domain.
    =?Utf-8?B?RlAgRnJ1c3RyYXRlZA==?=, Mar 20, 2005
    1. Advertisements

  2. =?Utf-8?B?RlAgRnJ1c3RyYXRlZA==?=

    FenderAxe Guest

    Hi there --

    No, you can't configure AD to trust workgroups. AD forests can be
    configured to trust forests and AD domains can be configured to trust other

    Keep in mind that in a workgroup, the user is only logging onto the
    machine, where the user has a user account -- on that machine only. To
    allow the user to log on to other machines in the workgroup, you have to
    create a user account on each machine for the user.

    With AD, you create a user account and the user can log on to any domain
    resource (such as other computers) with the credentials for that user
    account. The user can access shares on other computers for which the user
    has been granted explicit access, too, without having a user account on the
    computer where the share is created.

    To troubleshoot the problem you are having you must know where the users
    have accounts (in the domain AND on computers in their workgroups) and
    whether they are entering their credentials properly.

    Also keep in mind that depending on how things are configured, a user can
    log on to a domain from a computer that is not a domain member as long as
    there is a network path from the computer to the DC. So your users might be
    logging onto the domain (instead of to the local computer in the workgroup)
    with the AD user account, then attempting to access local resources for
    which they do not have permission with the AD user account -- only the user
    account on their local machine has permission to access the resources.

    Even if you use the same user name and password for the account in AD and
    the account configured in the Security Accounts Manager (SAM) database on
    each individual workgroup machine, the accounts are all different and
    cannot be used interchangeably.

    There are quite a few solutions to this problem, but a simple one is to
    make sure that when users are in their workgroup, they log on to the local
    machine only.

    Another solution might be to assign permissions to workgroup resources to
    their user account in AD -- using the syntax DOMAIN\username for the share.
    You will need to experiment to see what works best for your setup.


    x-- 100 Proof News -
    x-- 3,500+ Binary NewsGroups, and over 90,000 other groups
    x-- Access to over 1 Terabyte per Day - $8.95/Month
    FenderAxe, Mar 20, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.