ThinkPads default to Workgroup security?

Message

XCoalMiner · #1 Post by **XCoalMiner** » Mon May 31, 2004 4:51 pm

I see where my new ThinkPad T41 (XP Pro) is setup by default as a member of a Workgroup, as opposed to a Domain.

I plan to use this for personal use. Can anyone summairze the implications of switching to Domain membership?, ... one question in particular, I think I recall that is a one-way change, i.e., you cannot click and switch back to Workgroup.

Also, what are the implications of using NTFS's file encryption (EFS) if I do this, ... I'll pre-suppose it's a good idea not to have anything encrypted if I make the change.

WilsonF · #2 Post by **WilsonF** » Mon May 31, 2004 6:11 pm

All WinNT, Win2K and WinXP Pro installs default to workgroup unless you are connected to a domain network and join a domain during installation.

You don't need to join a domain unless you have a server at home or are using this system in a work environment that has a server and a domain.

Domain memberships permits the domain administraor to manage your system settings (such as preventint users from installing software the administrator doesn't like) and secure connections to the server either locally or remotely via dial-up-networking or VPN connections. (you wouldn't want just any bloke who walks in the door with a piece of CAT5e cable plugging in and browsing a company's file, checking your email etc.).

Joining a domain you don't manage yourself or that isn't managed by your company is fraught with peril and few, if any, benefits.

If you have your own serer, then you wouldn't be asking this question because you probably would have a domain at home. If your company paid for your system, the company would be making the decision for you.

If you don't know what domain to join, don't worry about joining. It's like the old WC Fields (I think) remark that if a domain you don't already know about will have you, you don't want to join.

XCoalMiner · #3 Post by **XCoalMiner** » Mon May 31, 2004 6:25 pm

Can you tell me if this is possible with workgroup: I take my thinkpad to a corporate client's site (they use AD domain security), I try to map a network drive via plugging in a network cable, (Thinkpad gets assigned an ip address, and I have valid username and password to use on their domain)?

I was/am worried that using workgroup will not allow me to do this?

hausman · #4 Post by **hausman** » Mon May 31, 2004 6:31 pm

WilsonF wrote:It's like the old WC Fields (I think) remark that if a domain you don't already know about will have you, you don't want to join.

<OT>
It was Groucho Marx who said "I'd never join a club that would have me as a member."
</OT>

cynic · #5 Post by **cynic** » Mon May 31, 2004 6:44 pm

XCoalMiner wrote:Can you tell me if this is possible with workgroup: I take my thinkpad to a corporate client's site (they use AD domain security), I try to map a network drive via plugging in a network cable, (Thinkpad gets assigned an ip address, and I have valid username and password to use on their domain)?

I was/am worried that using workgroup will not allow me to do this?

It will. You'll be fine. When you go to map a network drive, it'll prompt you for a username and password for the network. If not, use the map network drive wizard from My Computer and the very first screen gives you an option to use a different username and password (though, by default, it's set to use your standard username) Once you've mapped it once, you'll never have to go through this again anytime you bring your laptop back to that network.. you just restore your mapped drives and it'll take care of the authentication.

cynic · #6 Post by **cynic** » Mon May 31, 2004 6:47 pm

BTW, if you try to logon to a domain where they don't have enough access licenses for their servers, you'll be denied. That means you'd have to be sure that they budgetted a license for you. That isn't necessary when you are using workgroup status or just mapping into drives; only when you logon to a domain to become a "trusted" member of said domain.

XCoalMiner · #7 Post by **XCoalMiner** » Mon May 31, 2004 7:22 pm

cynic wrote: It will. You'll be fine. When you go to map a network drive, it'll prompt you for a username and password for the network. If not, use the map network drive wizard from My Computer and the very first screen gives you an option to use a different username and password (though, by default, it's set to use your standard username) Once you've mapped it once, you'll never have to go through this again anytime you bring your laptop back to that network.. you just restore your mapped drives and it'll take care of the authentication.

Can you point out anywhere else to look when this doesn't work? Was at same client a year ago, and co-worker had a thinkpad (OS was Win 98 or NT 4.0, as I recall) setup with workgroup security, and could not get any network drive mappings to work. At the same time, others with domain security (and W2K) didn't have any problems at all. I recall converting TP to domain security (and then had to restore back to workgroup because other things didn't work correctly).

Went so far as to copy and use the same NET USE ... command line strings to map drives on all the machines. What worked on all other machines didn't on the TP. Was always stumped by that, and never figured it out. But after a while gave up and found a different way to work. Now that I got a TP, and seeing workgroup setup, I recall the whole thing.

cynic · #8 Post by **cynic** » Mon May 31, 2004 7:32 pm

Windows XP Pro has multiple domain membership abilities. Older Windows didn't (though NT did) They've (Microsoft) changed the way security is done so this is possible. Also, when it comes to domains vs workgroups, it'll depend on what the PDC is using (Windows 2003 Server? Windows NT AS? etc)

mikebb · #9 Post by **mikebb** » Mon May 31, 2004 8:34 pm

XCoalMiner wrote:
cynic wrote: It will. You'll be fine. When you go to map a network drive, it'll prompt you for a username and password for the network. If not, use the map network drive wizard from My Computer and the very first screen gives you an option to use a different username and password (though, by default, it's set to use your standard username) Once you've mapped it once, you'll never have to go through this again anytime you bring your laptop back to that network.. you just restore your mapped drives and it'll take care of the authentication.
Can you point out anywhere else to look when this doesn't work? Was at same client a year ago, and co-worker had a thinkpad (OS was Win 98 or NT 4.0, as I recall) setup with workgroup security, and could not get any network drive mappings to work. At the same time, others with domain security (and W2K) didn't have any problems at all. I recall converting TP to domain security (and then had to restore back to workgroup because other things didn't work correctly).

Went so far as to copy and use the same NET USE ... command line strings to map drives on all the machines. What worked on all other machines didn't on the TP. Was always stumped by that, and never figured it out. But after a while gave up and found a different way to work. Now that I got a TP, and seeing workgroup setup, I recall the whole thing.

The problem your co-worker had sounds more like an OS issue than an issue with domain vs workgroup setup. Windows 98 (I don't remember about NT4) didn't give you the option to "Connect as a different User", while Win2K/XP does.

This means if you're not logged onto the client's network with credentials they recognize, you will not be able to access network resources (with Windows 98.) You'll get prompted for a password, but not a username. With Win2k/XP, you'll have the option to enter both a username and password, which will let you get connected, domain member or not.

JohnV · #10 Post by **JohnV** » Mon May 31, 2004 9:06 pm

cynic....the only way that another domain will show up in the selections on your laptop would be if the other domain was under the same Active Directory Forest if you are talking about a Win 2000/2003 domain or a trusted domain if its an NT4 domain. Otherwise a second non-related domain cannot be added.

John

#11 Post by **jdhurst** » Mon May 31, 2004 10:04 pm

In my opinion, Laptops are always best Off-Domain (i.e., in Workgroup mode). The reason is that a domain-connected Laptop will always barf if not connected. There is a way out for you XCoalMiner.

There is a folder deep down in Windows:
C:\Windows\System32\GroupPolicy\User\Scripts\Logon and Logoff.
You may need to run the Group Policy Edit gpedit.msc and browse to User Configuration -> Windows Settings -> Scripts for Windows to create the folders.

Then create a batch file with your login commands. Something like:
Connect.bat
NET USE Z: \\SERVER\C$ /user:name password
NET USE Y: \\SERVER\D$ /user:name password

or
NET USE Z: \\Server\Folder /user:domainname\username password

Store this batch file in the Logon folder.

Next create a batch file like this:
Shutdown.bat
NET USE Z: /delete
NET USE Y: /delete

Stor this batch file in the Logoff folder.

Match your shutdown drives with your connect drives.

Now in gpedit.msc, open the Logoff Script setting, and add shutdown.bat.
This will disconnect any open network drives whenever you log off.

Now make a Desktop shortcut and point it to Connect.bat.

You're done.

Start your laptop. Double click on Connect. You're connected.
Shutdown your laptop. Everything is automagically disconnected.

Take your laptop home. Don't click on Connect. The laptop works normally.

It will never barf if you do this. And it is all much easier that it took me to write it. I set myself up that way with multiple connect files to connect to different clients. I set my client laptops up this to eliminate frustration. They love it. .... jdhurst