[dba-Tech] Kill a Workgroup and Replace it with a Domain

Haslett, Andrew andrew.haslett at ilc.gov.au
Mon Mar 6 20:34:38 CST 2006


Oops, so my recommended steps would basically be:

* Upgrade your server to a DC (DCPromo).
* Create a User account for each of your users (with Roaming Profile
stored on your file server).
* Create a Group called 'WorkStationAdministrators' (see below)
* Create any other Groups required for restricting access to the
filesystem as required.
* Apply group restrictions to the filesystem on your server as required
(ie to your users directories).
* Add each machine to the domain (you do this from each machine
individually)
* Add the WorkstationAdministrators Group to the Local Administrators
group on each machine.

By doing this you can then add the users you wish to the
'WorkstationAdministrators' group in Active Directory, and these users
will have admin privileges on the machine they are logged into. You
could also do something similar with slightly less privileges and place
them in the 'Power Users' group on the local machine instead of the
Local Administrators.

The only other thing to consider is that machines can only be a member
of one domain (at a time). So those users that bring their own laptop (I
assume its their own?) will have to be a member of your domain to get
all this neat stuff to happen.  Ie - they will still be a member of your
domain when they take their machine home - which is not a huge issue as
they should already have 'local' accounts on their laptops that they
will still be able to log into.

Clear as mud?


 

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Haslett,
Andrew
Sent: Tuesday, 7 March 2006 12:51 PM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Kill a Workgroup and Replace it with a Domain

There's really no such thing as 'Nuking the workgroup'.

Basically, if you're not part of a domain, then you're in a workgroup.
But being part of a 'workgroup' really means nothing.  It doesn't
functionally do much at all. 

The only issue you're going to have out of those below, is access to
emails from every machine.  It means you'll have to place your mail
folders at a central location.  How are they accessing it currently?  I
assume you're not using exchange.

A 

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Arthur
Fuller
Sent: Tuesday, 7 March 2006 11:49 AM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Kill a Workgroup and Replace it with a Domain

I have one machine that is running Windows 2003 Server, but it so far is
defined as part of the workgroup. How can I nuke the workgroup and then
retroactively set up this box as the primary domain controller? In the
short term, I don't care that while I reorganize everything I lose
connectivity to the ancillary boxes, because that's all they are --
ancillary. So I feel quite free to nuke the workgroup, then create the
domain and establish this box as the primary domain controller, then
create the required users and then bring each box into the domain.
I don't want to digress, but we are venturing close to the topic about
what I really want, whose one-word answer I have been led to believe is
ActiveDirectory. What I really want is that any of the known users be
able to sit at any computer and login and have her Outlook file, her
Favourites, Recent Documents list, etc. etc. available at once. I have
lived on systems set up like this, but I didn't set them up and I have
no idea how it's done.
But that is my ultimate goal: 10 users, 3 of whom bring notebooks and
connect via the wireless router, and the system knows who they are and
knows which directories are available to them, etc. 
In the case of the latter 3, who are all clients, they should be able to
access their client-specific directory on the server, and a few other
directories, but not the whole world.
In the case of, let's call them resident-users, of whom there are 8,
they should be able to see their own data plus selected directories
located here and there. Two of these 8 are fictional persons that I
created to test the functionality of limited access. One is a user and
the other is a developer (the latter so I can test VSS, Visual Studio
2005's concept of partial classes, etc.).
Exactly two persons (me and my trusted colleague) can see everything
everywhere.
The immediate problems, I surmise from your reply, are:
1. nuke the workgroup;
2. retroactively reconfig the W23Server box to be the primary domain
controller.
I need help with both these steps.
Thanks!
Arthur
-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Stuart
McLachlan
Sent: March 4, 2006 7:45 PM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Kill a Workgroup and Replace it with a Domain

On 4 Mar 2006 at 19:20, Arthur Fuller wrote:

> Way back when, I set up my home network, back when I knew even less 
> than I do now, which is almost nothing. When it asked if I wanted to 
> set up a domain, I assumed that it meant an internet domain, which I 
> didn't have,
so
> I chose Workgroup. I would now like to change this, and ultimately 
> arrive
at
> an Active Directory solution, replete with roaming profiles, so that 
> no matter which box I am on, I see the same Outlook files, the same
shortcuts,
> etc. In short, how do I get from here to there?   Should I just remove
> everyone from the workgroup, then destroy the workgroup, then create a

> domain, then add the boxes to the domain, and finally add the users? 
> If
not
> this, then what? 

Assuming that you are using workstation OSs (2KPro, XPPro), you will
need to upgrade the OS on one machine to a Server version or instal a
new server with the appropriate OS.  When you do the update, you set up
that machine as the Primary Domain Controller.

You then create user accounts on that server for all of your users.

Once you have the domain controller set up, on each workstation  change
the Network properties to be part of a domain and enter the domain name.
Then just follow the prompts to connect.

>I have tried a few googles and got nowhere useful. One more  thing. I 
>have purchased a wireless router, but not yet set it up. The  intended 
>purpose of this box is to allow immediate access to my network to 
>several selected people only: clients and colleagues. I want a client 
>to
be
> able to visit, turn on her notebook and immediately have access to my 
> network -- not complete unfettered access, of course, but access to 
> areas
of
> interest to her. 

As long as you are using NTFS on all machines, once you hae set up a
domain with a PDC,  you can restrict access to any resource on any
machine based 
on the user logon.   Using wireless access to your network, if they have

the relevant encryption key, they will be able to log on to your network
and use whatever resources you have made available to them. 

> The list of clients/colleagues is small; less than 10 -- and the only 
> way they will ever access the network is by bringing their notebooks 
> here. In addition to the clients/colleagues, there are 4 others
to
> whom I want to give roaming profile abilities, so they can log in to 
> any available box and see their stuff and not see the stuff to which 
> they have no access.

Again, this will all happen automagically once you set up a domain
controller and user access rights.

--
Stuart

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com


IMPORTANT - PLEASE READ *** This email and any files transmitted with it
are confidential and may contain information protected by law from
disclosure. If you have received this message in error, please notify
the sender immediately and delete this email from your system. No
warranty is given that this email or files, if attached to this email,
are free from computer viruses or other defects. They are provided on
the basis the user assumes all responsibility for loss, damage or
consequence resulting directly or indirectly from their use, whether
caused by the negligence of the sender or not.
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com


IMPORTANT - PLEASE READ *** This email and any files transmitted with it are confidential and may contain information protected by law from disclosure. If you have received this message in error, please notify the sender immediately and delete this email from your system. No warranty is given that this email or files, if attached to this email, are free from computer viruses or other defects. They are provided on the basis the user assumes all responsibility for loss, damage or consequence resulting directly or indirectly from their use, whether caused by the negligence of the sender or not.



More information about the dba-Tech mailing list