First, understand this:
A member of local administrators group can do any and all on the local machine. The built in account administrator is a member of local adminstrators group.
Second, understand what exactly happens when a machines joins a domain.
Who can join a pc to a domain:
1. he must be member of local admin gruop.
2. he must be member of domain group that has rights to add machines to the domain - usually this is domain admin group. This right is needed because a security account for the machine must be created in the domain when the machine joins the domain. If you are only a local admin, you cannot join a machine to a domain, unless the domain admin has already created the machine account for you beforehand (with the same machine name).
note any domain group does not reside on any local machine. they reside on domain controller/active directory.
That's why when you set up a new machine, and join it to a domain, it will prompt you for another username/password. This user must be able to add machine to domain (i.e. create machine accoutn in the domain).
Similarly, a local admin can disjoin his machine from domain. but if he does not he rights to remove the machine account from the domain, the machine account is still there even after disjoint. next time the local admin can join it again w/o the help of domain admin because the machine acccount want deleted last time. If a domain admin disjoins the machine, the machine account is gone. Rejoining needs "add to domain" rights again.
domain方式連接問題
所有跟帖:
•
domain方式連接問題CONT.
-f64-
♀
(963 bytes)
()
04/09/2004 postreply
12:16:43
•
domain方式連接問題CONT.
-f64-
♀
(830 bytes)
()
04/09/2004 postreply
12:24:50
•
domain方式連接問題CONT.
-f64-
♀
(527 bytes)
()
04/09/2004 postreply
12:39:02
WENXUECITY.COM does not represent or guarantee the truthfulness, accuracy, or reliability of any of communications posted by other users.
Copyright ©1998-2024 wenxuecity.com All rights reserved. Privacy Statement & Terms of Use & User Privacy Protection Policy
