New To Ad....some Questions And Problems

[iphonogasm]

Thanks ill try this tonight.

I have some more questions regarding AD. Ive just setup a seperate server as my DC.

I have edited the default policy and default domain policy and disabled password complexity requirements, but still it requires a password lenth etc. I also tried to "enforce" these policies with no luck.

Another thing, do i have to have to DOmain Controller set as the DNS Server in order to join the domain? Or does the DNS server just have to be on the domain aswell or in the forest.

For examle, i have my DC at 192.168.2.230 and say i am using the router as my DNS server 192.168.2.1 will i be able to join the domain, because this doesnt seem to work

And lastly, for now ) i have joined a few clients to the domain, however when logging in, it logs in as COMPUTERNAME/USERNAME not DOMAIN/USERNAME

how do i setup my DC so when a computer is joined to my domain, it adds the crediantials automatically for that computer and the default login is to the DOMAIN not local computer

Hope this makes sense!!

Thanks!!

 

[ICTCity]

I think I will write a tutorial / explenation regarding policies in Windows' domain. There's a lot of confusion and to troubleshoot these problems is a really hard task. First of all you must determine which polices are applied to that group / ou / user, then you can start troubleshoot. So, open gp manager and run a RESULTANT GROUP OF POLICY and select the computer / user. Once finished you can easily see which policies have been applied, in case of an error (permissions) you will see "ACCESS DENIED" or something like this.

Good question, TEORICALLY no, you just need a common DNS with the needed record (_ldap, _tcp, ...) so your router cannot do this (you can't add DNS entries). Pratically --> mhhh more or less, you can set up a dns server BEFORE and then create a domain. In this way dcpromo should create the the entries for you but anyway you will ever have a local dns but the client's DNS can also be another (different from you DC).

Mhh no idea, usually when a PC joins correctly to a domain you are prompted to enter domain's credentials. If you write domain\username it works?

 

[iphonogasm]

Ok, i managed to logon to the domain with a client DOMAIN/USER. Worked fine, took a while though :S

So, how can i change this damn password to not require complexity requirements. I have set the policies so do i need to assign the policies to the user now?

Also, lastly, can i set it so the domain to automatically create a user for the local user account? or do i need to manually add it?

Thanks again, Learning lots

 

[ICTCity]

Ok, i managed to logon to the domain with a client DOMAIN/USER. Worked fine, took a while though :S

So, how can i change this damn password to not require complexity requirements. I have set the policies so do i need to assign the policies to the user now?

Also, lastly, can i set it so the domain to automatically create a user for the local user account? or do i need to manually add it?

Thanks again, Learning lots

Check on all of your GROUP POLICY if somewhere there's the policy "Password must meet minimal complexity requirements".

I don't understand what you mean with "can i set it so the domain to automatically create a user for the local user account? or do i need to manually add it?"

 

[iphonogasm]

Yes i have disabled the "password must meet minimum complexity requirements" in both the DOMAIN profile and DOMAIN CONTROLLERS profiles. Yet i am still unable to use any password unless it contains capitals and numbers etc.

What i mean by this is.....if i have someone join my domain, say a staff members joins my company and needs to join the domain. Do i NEED to add that user as a user on my DC manually? Obviously i need to add the PC to the domain, then do i need to access the domain controller and manually add the user there.

Im guessing i do it manuall otherwise this would be a security issue. Just woundering though

A few more little questions )

Right now, any user on the DC can access on PC on the domain using there username via RDP.

How do i disable this, just disable remote connections for the user? But then say i want to allow a user to RDP into their machine only, and their username only working on THEIR PC.

So in other words, assign a USER to a COMPUTER in the DC

Thanks!

 

[ICTCity]

Run "gpupdate /force" and then a resultant group policy in order to establish WHICH policy is applied to "block" password.

Well there are differents scenarios. When you join a domain you need an admin (domain admin) account to join the WS, once there well you don't have to have a specific account, you can also have one account for 1000 users, stupid but possible. Maybe what you want to know is: "Can I login into domain without creating a user first?" No you can't. Let's say you have a LOCAL account (DeanoLocal) on your computer (DeanoLocalPC), now you join the domain deano.local. Now you have 1 account and TWO domains:
- DeanoLocalPC\DeanoLocal (local account)
- deano.local

As you can see the DEANOLOCAL account exist on that workstation (workgroup DeanoLocalPC) not on domain! So you must create another account at domain level.
After that you can of course copy the local profile to domain profile, but basically you need a domain account.


No matter if you are using terminal services or just RDP, usually there's a group on domain called TERMINAL SERVER USERS, add this group as permitted on you terminal server (or where people login) and they will not able to login to the others servers. regarding workstations you can basically do the same thing, but this time you configure this by remote access settings (computer>rightclick>properties) adding the user.

 

[iphonogasm]

Ok ive done this but still no luck.

heres what i have!


No luck!

Thanks!

 

[ICTCity]

Post result of gpresult:

http://technet.microsoft.com/en-us/library/cc775413(v=ws.10).aspx

It's almost the same for windows server 2008.