Local Profiles on a PC in Active Directory

Solved

all931 Posted messages 103 Status Member -
Anonymous user - 14 Jun 2013 at 15:45

Hello,

I would like to create a local account on a machine in my company that is part of the domain. I know how to do it, but the thing is that when I go to the screen where you need to enter the credentials to access an account, Windows defaults to the domain name. So, to access the local account, I have to enter COMPUTER_NAME\user or .\user. It's not an issue for me, but for a regular user, they will never know how to log in and will just pollute our hotline. Additionally, I've noticed that the Windows Admin 0 account is automatically set to local.

That's about it.
Thanks for your feedback.

Configuration: Windows 7 / Chrome 22.0.1229.96

3 answers

Answer 1 / 3

Anonymous user

Hello,

In principle, in the login window, there is an "Advanced" option, it seems to me (or a similar expression). So, a choice is offered (either the domain or the client machine). You select the name of the PC and from then on the account logs in directly locally (at least, that’s how it was under XP and W7).

But, from memory, it seems to me that if the domain is not found, and a local profile exists (you just need to create one once for all), the PC automatically switches to this local profile when the domain is not reachable (that’s how laptops work in companies, especially for salespeople who often "go out" of the network).

As for the admin account, in principle, you have two... the local admin account and the network admin account. One is actually called administrateur@mon-pc and the other administrateur@mondomaine.com (check in the server's LDAP for its full name). Again, the one that gets executed depends on your choice (domain or local). Under W7, the local administrator is not activated by default on a client machine. You have to use the net user command...

It's up to you to see your situation.

all931 Posted messages 103 Status Member 9

Yes, yes, the account is well created and I have already logged in to cache it, so that’s fine. I will check with the administrators in the AD as I don’t have access to all that.

To get back to my problem, I am not stuck logging in; I can do that (whether or not the network cable is plugged in), but every time I have to enter nom_du_pc\nom_utilisateur. I’m fine with that, but the users, well, not so much, and I would like them to be able to enter only nom_utilisateur and their password without having to specify if it’s on the domain or locally. Poor things, they already don’t understand much, so if we ask them that, they’ll be lost! :D

Anonymous user

Je suis prêt à traiter le texte. Veuillez fournir le contenu à traduire.

all931 Posted messages 103 Status Member 9

Yes, I understand where you were coming from, except that it's not necessarily AD users for me. It's a workstation in a conference room where there may be users from our AD but also external contractors without AD accounts. Generally, we create a local account to manage this with a (generic) password distributed to the contractors or the reception agents so they can at least log in to Windows to present their PowerPoint and everything. However, to access this account, it's imperative to enter the machine name before the login; if we don't do that, the machine ejects us because it tells us that the account doesn't exist in the domain (which is normal since this account is created locally on the PC). So I would like Windows to correlate between locally created accounts and accounts on the domain.
I don't know if we can put screenshots here?

Anonymous user

OK. You created a local account called toto that is outside the AD, if I understood correctly. But then, at the time of login, you must have an "options" line that allows you to choose whether to log in locally or to the domain. You just have to choose, which avoids having to type complicated combinations.

Because I don't believe (to my knowledge) that your client can switch from network to local by itself... Moreover, a machine like this, used for "standard" operations, can simply be removed from the domain... it can have a dual boot depending on the need (member of the company / external contractor)... there are multiple solutions.

all931 Posted messages 103 Status Member 9

Yes, that's it. We also have the admin account 0 that is activated, the default one is disabled, so we activate it, rename it, and we use this account for installations, etc. And this account, when I log in, for example as an administrator, when I tab down in the password field, it automatically changes from domain.prod to computer_name, whereas accounts created manually in local do not change automatically. After that, I can indeed do the dual boot, good idea.

Thank you and have a good weekend, I will get back to this on Monday :)

Answer 2 / 3

all931 Posted messages 103 Status Member 9

Hi,

so if I try to unplug the network cable to put it in a situation, if I enter the user login and the password nothing happens, it stays on the domain and of course if I click on connect it throws me out,

well, it's not dramatic, but it would have been a plus for us in front of the users, so well,

I'm marking the discussion as resolved and if one day I find a solution I'll post it :)

anyway, thanks for the response, it has, believe it or not, helped me move forward,

thank you

Anonymous user

Hello,

I remind you that the account must exist on the concerned client for it to work (so the user must have already logged in and their profile must be present in the cache).

Nevertheless, check in the server's AD (computer configuration > Windows settings > security settings > local policies > security options) that a checked option is not blocking local access in case of domain failure (the "cached domain credential" option must not be set to 0).

Then perform the same check in the client's GPO (gpedit.msc) in case the machine itself is causing the blockage.

Discussion on the topic here:

http://www.forum-microsoft.org/ftopic71605.html

Anonymous user

Another lead for you:

https://www.passcape.com/domain_cached_passwords

Answer 3 / 3

tempusus Posted messages 42 Registration date Status Member Last intervention 16

Hello,

Just for my personal knowledge, what is the benefit:

- of using a local account on a domain machine?
- of using the local administrator account when you are on a domain?

It may seem logical to you, but I would like to understand how you analyze it :)

--
Best regards,
Tempusus

all931 Posted messages 103 Status Member 9

Ahaha I must admit that it seems insane what I’m saying but very precise too much even, it’s complicated how we are organized as well, we don’t have access to the admin account just the local admin of the machines and using a local account on a machine in the domain for external users who don’t have a computer and just a USB stick for example yes that’s how it is for us they don’t overthink it it’s a free-for-all anyway, our agents with their account can connect and agents outside the AD as well ^' ,

There you go!

all931 Posted messages 103 Status Member 9

Under XP, it's well done because you can choose, but in Seven you can't, and I don't know why.

tempusus Posted messages 42 Registration date Status Member Last intervention 16

all931: I'm asking the question like this but well:
- Are you using GPOs? If so, you can create a "client admin" account and assign rights through a security GPO. This way, there's no need to use the local admin account.
- Do your externals need to use a PC? Why not create a specific AD account? For example, in a meeting room, a MeetingUser with very limited rights.

The use of local accounts is clearly not a good idea as it requires local manual management, which is totally opposed to domain management.

=> Domain admin rights are not necessary to manage all of this.

Tempusus

Anonymous user

Just for my personal knowledge, what is the purpose:

- of using the local administrator account when you are on a domain? : Sometimes, it can be useful when a PC can no longer find the domain (quite common) and needs troubleshooting (if only to remove the PC from the domain). It can also be useful in large networks, when user accounts are "identical," to allow a regular user to install a program they need locally (let’s say it avoids creating a multitude of specific accounts). But it's true that apart from that, it’s not very useful.

- of using a local account on a domain machine? Not useful, indeed. Personally, for this kind of use (PowerPoint or the like), I would just take a PC off the domain, without a user account. A ghost image would allow for regular restoration of the machine.

tempusus Posted messages 42 Registration date Status Member Last intervention 16

ikewdu: I do not question the usefulness of the local administrator account, but for day-to-day management, using it is extremely cumbersome. However, I do not understand the second part of your opinion: It is sometimes also useful in large networks, when user accounts are "identical", to allow a regular user to install a program that they need locally (let's say it avoids creating a multitude of individual accounts). But it's true that apart from that, it doesn't really serve much purpose. As far as I'm concerned, I manage several hundred machines across multiple countries, and I very rarely need the local admin account.

For the local account, taking the machine out of the domain is sometimes complicated, especially if:
- you have a centralized antivirus
- you have a proxy
- a WSUS type server
- domain users who need the machine
And I am not listing everything, it would be too long.

Local Profiles on a PC in Active Directory

3 answers

System restore from bootable windows 11 usb drive

Adobe reader pdf

Signal cable not detected on iiyama monitor

Windows 11 microphone issue

Read .doc or .docx files in libreoffice

File with some lines merged and others not

How to leave a review for a product purchased on groupon?

Bose acoustimass 300 subwoofer won’t connect anymore

Auto-fill

Unblock the thomson thb330 blu-ray/dvd player