Copyright

Return to index

***************************************

In most cases, from any NT machine, you should be able to obtain the necessary connectivity to administer NT machines and domains no matter what account you actually logged on to your machine with. The most notable loss will be anything tied to logon automation (e.g. scripts, home drives, policies, etc). You should be able to accomplish any of these, except policies, manually.

1) Permanently configure the laptop permanently in what ever mode best fits your normal usage (e.g. a stand alone, or as a member of your office domain).

2) Always log onto the laptop, using the same account (domain and user).

3) When you need to connect to a machine that does not recognize your logon account (or allow it the necessary privileges), use NT's 'Connect As' to specify the appropriate account for your initial connection. Since NT uses a single NetBIOS session for all NetBIOS traffic between 2 systems, this means that any future connections made to the remote machine (until you close all connections) will be made as the specified account. Since most MS networking functions (pre NT5) use NetBIOS for connectivity, this means that if you connect to the remote machine with one of the administrator tools (e.g. User Manager for Domains), you will have what ever rights are assigned to the specified account.

Note. You can avoid the need to use 'Connect As' by creating duplicate local accounts on the remote machine.

For example, let's say I have:

AcctDom: My office accounts domain.
MyPC: My laptop. A member of MyDom
AcctDom\JDoe: My normal logon account for MyPC.

RD1: A resource domain that trusts AcctDom. AcctDom\JDoe is
configured as an administrator on all members of RD1
RD1Srv1: A member server in RD1

RD2: A resource domain that does not trust AcctDom.
RD2\JDoe: An account in RD2. A member of RD2\Domain Admins.
RD2Srv1: A member server in RD2
RD2Srv2: A member server in RD2.
RD2Srv2\JDoe: A local administrator account on RD2Srv2.

Srv1: A stand alone server.
Srv1\Adm1: A local administrator account on Srv1

 

To administer accounts on RD1Srv1, I need only open UMFD (User Manager for Domains) and connect to RD1Srv1 (e.g. 'usrmgr \\RD1Srv1'). RD1Srv1 will recognize my logon domain (AcctDom) as a trusted domain and pass the account to an RD1 domain controller, who will pass it to an AcctDom DC. Once the account has been validated by the AcctDom, the connection will be established and I will have full rights to administer the accounts on RD1Srv1 (AcctDom\JDoe is a Domain Admin in RD1).

Similarly, if I want to administer RD1 accounts, I run 'usrmgr RD1'. The RD1 PDC will recognize the logon domain and pass validation to an AcctDom DC.

If I want to administer RD2 accounts, I run 'usrmgr RD2'. The RD2 DC will not recognize my logon domain as a trusted domain (RD2 doesn't trust AcctDom). So it will check its local accounts database (on a DC, this is the domain's account database) for a matching username. Since one exists (RD2\JDoe), it will compare the passwords. If they match, the connection will be made and I will have the rights of RD2\JDoe. If they don't match, I will be prompted for another account. I need only specify RD2\JDoe with the correct password.

If I want to administer accounts on RD2Srv1, I must first establish a connection specifying the RD2 account. So I run 'net use \\RD2Srv1\c$ /user:RD2\JDoe' and give the appropriate password, when prompted. Now I run 'usrmgr \\RD2Srv1'. UMFD will use the existing connection. So I will have the rights of RD2\JDoe (RD2 domain admin).

If I want to administer accounts on RD2Srv2, I can follow the same procedure I used for RD2Srv1 or I can avoid making the initial connection and just run 'usrmgr \\RD2Srv2'. Since there is a JDoe account in RD2Srv1's local account database, I will be validate as that account (assuming passwords match <g>).

If I want to administer accounts on Srv1, I use the same procedure as with Rd2Srv1, except that I specify Srv1\Adm1 for the initial connection and run 'usrmgr \\Srv1'.

 

Note. You can automate a lot of this through the use of batch files like:

:logon
net use \\RD2Srv1\c$ /user:RD2\Jdoe
if not %ERRORLEVEL%==0 goto :logon
usrmgr \\RD2Srv1

If you want go get fancy, you could even write a script that checks for any existing connections to that machine and removes them before establishing the new one (just in case you were connected with different credentials).

***************************************