Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#110841 - 13/08/2002 15:59 HELP Win2K logon and profile related
F0X
member

Registered: 31/03/2002
Posts: 100
Loc: Alberta, Canada
Here is the deal.
I have a laptop that I normally logon onto a domain with. When I am not connected to the domain, I still log on with the same username, and it uses a cached profile. This all works fine. Then, today I tried to connect to a workgroup at home. I changed the setting in Properties under Network Identification. Now, it will not let me change it back to the domain setting, as I am not connected to the domain at the moment. Is there any way to force it to accept the new domain without being connected to it? What I really need to be able to do is use my cached profile for the domain. The profile I had for the workgroup does not have the same shortcuts, etc. and now I cant access all my programs. I figure once I am physically connected to the domain I will be able to change the setting back to the domain name, but until then is there any way to access that cached profile?
Sorry to bring my problems to you guys, but I am sure that there are many people here much more knowledgable in win2k than I.
_________________________
F0X 3xMkIIa

Top
#110842 - 13/08/2002 16:06 Re: HELP Win2K logon and profile related [Re: F0X]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
You need to get your sysadmin involved probably.

See, it's not enough to just have a USER account on the domain. When an NT computer joins a domain, it also has a MACHINE account which is negotiated with the domain controller. This machine account is part of the security layer that maintains the "trust relationship" between the domain's security database and your PC's security database.

When you disconnect from the domain by switching it to a workgroup, you invalidate the machine account and a new one must be created under a new name (or the old one deleted and re-created). Only someone with the proper privilege (the "add workstations to the domain" privilege) can create a new machine accounts.

This is also a problem when people use DriveImage to create a backup of their OS after they have joined the domain. That machine account's password gets auto-re-negotiated weekly, and if you restore a backup of the OS from more than a week ago, it uses the old invalid password and the account no longer works.
_________________________
Tony Fabris

Top
#110843 - 13/08/2002 16:56 Re: HELP Win2K logon and profile related [Re: tfabris]
F0X
member

Registered: 31/03/2002
Posts: 100
Loc: Alberta, Canada
What you say makes sense, and I can see that it is a security issue, how come it would allow me to use a cached profile while I was not connected to the domain before. Then I was not able to negotiate with the domain controller either. It just used a cached profile and warned me that the changes I made would not be saved, as it could not connect to the domain. It would then let me use my cached profile though. Now it will not let me access that profile again.
Does the machine account stay validated as long as nothing is changed with regard to the domain settings, or does it have to be validated at every logon? If it has to be validated every time, then how do cached profiles work? Like I said, I dont really have a good enough knowledge of this stuff, and a little knowledge proved to be a very dangerous thing
Thanks for the help.
_________________________
F0X 3xMkIIa

Top
#110844 - 13/08/2002 19:09 Re: HELP Win2K logon and profile related [Re: F0X]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Windows has a limitation in that it cannot be a member of more than one domain or workgroup at a time. And if you change its membership, it throws the old membership information away. And a user on one domain is not the same user as one with the same username on another domain; they're as separate as if they had two totally different usernames.

So it's not so much a security issue at its base as much as an arbitrary limitation. Of course, some could argue that limiting the computer to one membership might be for security reasons, too, and I wouldn't argue; I'm already thinking about it too much.
_________________________
Bitt Faulk

Top
#110845 - 13/08/2002 19:23 Re: HELP Win2K logon and profile related [Re: wfaulk]
F0X
member

Registered: 31/03/2002
Posts: 100
Loc: Alberta, Canada
It seems that there is the possibility of having it setup for multiple domains, you just cant be logged into more than one at a time. In the login drop-down box there used to be a few different domains. At login, I could choose what domain to log into. The problem is that when I changed over to a workgroup, it lost all of the domain options in the login box. Then when I went back into Network Identification to put it back to domain (so that I could access my cached profile) it would not allow me to enter the domain name. When I tried to enter the domain name, it just stated that it could not find the domain, and it would not allow me to change that property even though I had a cached profile for that domain.

I was able to temporarily fix my problem though. What I did was login locally as the Administrator and create a local account. Then, I copied the entire contents of the cached profile (C:/documents and settings/{username}/) to the newly created account profile. I rebooted and logged in as the new user, and everything looked just like it used too, before all this mess.

I realize however, that this is a very temporary fix, and that I need to get the domain account working properly asap. (when I can physically connect to the domain network) Any changes I make with the account will not be updated to my normal domain-enabled profile.
Why does this have to be so complicated?
_________________________
F0X 3xMkIIa

Top
#110846 - 13/08/2002 19:33 Re: HELP Win2K logon and profile related [Re: F0X]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
    Why does this have to be so complicated?
Because it's Windows and it thinks that it's smarter than you are.

What do you want me to do incorrectly today?
_________________________
Bitt Faulk

Top
#110847 - 14/08/2002 09:28 Re: HELP Win2K logon and profile related [Re: F0X]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
What you say makes sense, and I can see that it is a security issue, how come it would allow me to use a cached profile while I was not connected to the domain before.

Because that's just talking about your local profile (basically your desktop, wallpaper, and start-menu), not the security trust relationship between the workstation and the domain controller. Two different issues.
_________________________
Tony Fabris

Top