Workgroup and Domain

8/3/2019 Workgroup and Domain

1/14

Workgroup and Domain - Introduction

Computers connected on a network can be part of a workgroup or a domain sothat all the computers connected can communicate with each other.

The main difference between the two is how resources are managed.

Administrators should basically know the appropriate grouping of computerswhen implementing an infrastructure plan in order to effectively setup a

working network environment.

1. WorkgroupWorkgroup is the logical way to group computers on a network whereinmembers of the group are considered peers, and each computer maintainsits own security policies and resources like printers and shared folders. It isused on home network or small businesses that have more or less 25computers.

Advantages of using a workgroup

Design and implementation is simple Works well for a small number of computers and does not require a

Windows server No computer has control over another computer Each computer has a set of local user accounts

Disadvantages of using a workgroup Difficult to manage because resource administration is not centralized Administrative tasks are redundant because security policies and user

accounts need to be created on each computer No global grouping of resources Computers must be on the same local network in order to communicate

with each other.

2. DomainDomain is a group of networked computers that share the same a commonsecurity policy and database. It is usually used on medium and enterprisebusinesses that have a hundred or even a thousand number of computers.

Domain is also referred to as client/server environment, wherein, clients arethe workstations that are connected to a server. This server controls the

security and permissions for all the clients on a domain.

Advantages of using a domain Centralized account administration, security policies and permissions Users can logon to any computer on a domain without needing an account

on that particular computer. With this, access to resources can be done byjust a single log-on.

Computers can be connected to each other on different local networks.

Disadvantages of using a domain Requires at least one Windows server that serves as the domain controller. Some applications require a domain environment Requires more planning and configurations
http://computerspot.net/tag/computers/http://computerspot.net/tag/workgroup/http://computerspot.net/category/design/http://computerspot.net/tag/workgroup/http://computerspot.net/category/design/http://computerspot.net/tag/computers/


2/14

Workgroup works well on small networked computers because it has no serverand need a little planning. With this, the small network can be up and running toshare resources among the members of the workgroup. But as the network growsin size, workgroup setup may not be suitable and it means more workload on theadministrative tasks.

For Example

For example, there is a new user added to the network. A user account must becreated on each computer that the new user will access.

If the network has 25 computers, with 2 printers and 3 file servers, then each ofthe 25 users would need at least 5 accounts just to print to the 2 printers andaccess to the 3 file servers.

Domain is more suitable to a network that grows in size. This is because there isat least one server that acts as the domain controller, where user accounts,security policies, permissions and other resources reside. With this,administrators can take advantage of less administrative tasks.

Difference between a Workgroup and Domain

Workgroup Domain1 No Centralized Administration: All

computers are peers; no computerhas control over another computer.

Centralized Administration: One or morecomputers are servers.Network administrators use servers to

control the security and permissions forall computers on the domain. This makesit easy to make changes because thechanges are automatically made to allcomputers.

2 No Server & Client Matter. Eachcomputer reacts like a Client as wellas Server

Server & Clients Based.

3 Each computer has a set of useraccounts. To use any computer in theworkgroup, you must have anaccount on that computer.

If you have a user account on thedomain, you can log on to any computeron the domain without needing anaccount on that computer.

4 Workgroups are used when thereare only a few computers in thesame location that needs to beconnected.

Domains, on the other hand, is meantfor large scale deployments wherethere are dozens of computersconnected to the network like inmedium and big businesses.

5 There are typically no more than tento twenty computers.

There can be hundreds or thousands ofcomputers.

6 Computers on home networks areusually part of a workgroup

Computers on workplace networks areusually part of a domain.

7 Workgroups are easy to implement. While domains are harder and takeslonger to implement.8 All computers must be on the same

local network or subnet.The computers can be on different localnetworks.

9 Security: Not much security for Data, Security: Security of Data, User & Groups


3/14

User & Groups. (Depends onConfiguration)


4/14

Domain ControllerOn Windows Server Systems, a domain controller (DC) is a server that responds

to security authentication requests (logging in, checking permissions, etc.)

within the Windows Server domain.

A domain is a concept introduced in Windows NT whereby a user may be granted

access to a number of computer resources with the use of a single username

and password combination.

Domain Controller is a perception and approved access to many computer

resources with the use of only single password and user name. Domain

Controllers are used for security authentication request such as permission

checking, logging in etc. Windows NT employs the thought of a domain to

supervise access to a set of network possessions such as different type of

applications, and printers. The user only log into the domain to get access to

dissimilar resources which may be situated on different servers in a network. on

any windows server system a domain controller is a server that act in response to

security because domain controller are the central to the security and secured a

network highly including all devices. PDC and BDC are tasks that can be

conveyed to a server in a network that make use of the operating system of

Windows NT. A domain controller performs the following task

The domain controller is the custodian of the system and that the safety ofall the systems in the domain depends upon sheltering the DomainController glowing.

The security of the network is reliant on physically securing and cautiouslysustaining the domain controller. Secure the Domain Controller according to the commendation by

Microsoft for a domain controller. The functionality of domain controller is unsuited with some other functions

such as mail client, ftp server, web server, mail server etc which may causeto increase the menace of negotiation to an improper level.

Strictly confine the access to the Domain Controller from the Internet andthe superfluous component of a network.

A domain controller (DC) is a server that responds to security authentication requests

within a Windows Server domain. It is a server on a Microsoft Windows or Windows NTnetwork that is responsible for allowing host access to Windows domain resources.

A domain controller is the centrepiece of the Windows Active Directory service. It

authenticates users, stores user account information and enforces security policy for a

Windows domain.

Windows NT Primary and Backup Domain Controller

In older versions of Windows such as Windows NT server, one domain controller

per domain was configured as the Primary Domain Controller (PDC); allother domain controllers were Backup Domain Controllers (BDC).
http://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.html


5/14

Primary Domain Controller (PDC)

Read/Write copy of Security Accounts Manager (SAM)

Primary Domain Controllerthe one that seeds the domain SAM.

In Windows NT and 2000 networking, this machine is the main machine that

responds to security authentication requests, such as logging in, within its

domain. The PDC may be backed by one or more backup domain controllers that

can also handle security authentication.

Backup Domain Controller (BDC)

Read only replica copy of SAM

Backup Domain Controllerone that obtains a copy of the domain SAM.

A BDC could authenticate the users in a domain, but all updates to the domain

(new users, changed passwords, group membership, etc.) could only be made

via the PDC, which would then propagate these changes to all BDCs in the

domain.

If the PDC was unavailable (or unable to communicate with the user requesting

the change), the update would fail. If the PDC was permanently unavailable

(e.g. if the machine failed), an existing BDC could be promoted to be a PDC.

Because of the critical nature of the PDC, best practices dictated that the PDC

should be dedicated solely to domain services, and not used for

file/print/application services that could slow down or crash the system. Some

network administrators took the additional step of having a dedicated BDC

online for the express purpose of being available for promotion if the PDC

failed.

In Windows NT domain controller for each domain configured as the primarydomain controller and all other was backup domain controllers which substantiate

the users in a domain, and all domains could only be made through primarydomain controller, which would then broadcast these modifications to all BackupDomain Controllers in the domain. If the primary domain controller is incapable tocommunicate with the user appealing the change then update would notsucceed. If the primary domain controller eternally not obtainable a presentedbackup domain controller could be supported to primary domain controller.
http://www.freewimaxinfo.com/domain-controller.htmlhttp://www.freewimaxinfo.com/domain-controller.html


6/14

Basics of Domain Control

Over the years, public perceptions of what domain control really is has taken onan almost mystical nature. Before we branch into a brief overview of domaincontrol, there are three basic types of domain controllers.

Domain Controller Types

NT4 style Primary Domain Controller NT4 style Backup Domain Controller ADS Domain Controller

The Primary Domain Controlleror PDC plays an important role in MS WindowsNT4. In Windows 200x domain control architecture, this role is held by domaincontrollers. Folklore dictates that because of its role in the MS Windows network,the domain controller should be the most powerful and most capable machine inthe network. As strange as it may seem to say this here, good overall network

performance dictates that the entire infrastructure needs to be balanced. It isadvisable to invest more in standalone (domain member) servers than in thedomain controllers.

In the case of MS Windows NT4-style domains, it is the PDC that initiates a newdomain control database. This forms a part of the Windows registry called theSecurity Account Manager (SAM). It plays a key part in NT4-type domain userauthentication and in synchronization of the domain authentication database withBDCs.

With MS Windows 200x Server-based Active Directory domains, one domaincontroller initiates a potential hierarchy of domain controllers, each with its ownarea of delegated control. The master domain controller has the ability tooverride any downstream controller, but a downline controller has control onlyover its downline. With Samba-3, this functionality can be implemented using anLDAP-based user and machine account backend.

New to Samba-3 is the ability to use a backend database that holds the sametype of data as the NT4-style SAM database (one of the registry files)[1]

The Backup Domain Controlleror BDC plays a key role in servicing network

authentication requests. The BDC is biased to answer logon requests inpreference to the PDC. On a network segment that has a BDC and a PDC, the BDCwill most likely service network logon requests. The PDC will answer networklogon requests when the BDC is too busy (high load). When a user logs onto aWindows domain member client the workstation will query the network to locatethe nearest network logon server. Where a WINS server is used, this is done via aquery to the WINS server. If a netlogon server can not be found from the WINSquery, or in the absence of a WINS server, the workstation will perform a NetBIOSname lookup via a mailslot broadcast over the UDP broadcast protocol. Thismeans that the netlogon server that the windows client will use is influenced by anumber of variables, thus there is no simple determinant of whether a PDC or a

BDC will serve a particular logon authentication request.

A Windows NT4 BDC can be promoted to a PDC. If the PDC is online at the timethat a BDC is promoted to PDC, the previous PDC is automatically demoted to a
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#ftn.id2562663http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#ftn.id2562663http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#ftn.id2562663


7/14

BDC. With Samba-3, this is not an automatic operation; the PDC and BDC must bemanually configured, and other appropriate changes also need to be made.

With MS Windows NT4, a decision is made at installation to determine what typeof machine the server will be. It is possible to promote a BDC to a PDC, and viceversa. The only method Microsoft provide to convert a Windows NT4 domaincontroller to a domain member server or a standalone server is to reinstall it. The

install time choices offered are:

.


8/14

Configuring the domain or workgroup settingsUse the Domain/Workgroup page to configure the managed system as a memberof a domain or workgroup. If the system is a domain member, you also can usethis page to give a user account permission to join the domain.

To configure the domain or workgroup settings, complete the following steps:1. On the Network Configuration page, click the Domain/Workgroup tab.

2. On the Domain/Workgroup page, type the computer name of the affectedmanaged system.Note: Only the Computer name field is valid for managed systems running Linux or

IBM i operating systems.

3. Specify whether you want the specified system to be a member of a domain or aworkgroup and type the domain name or workgroup name in the associated field.

4. If you selected Domain, specify a user account permission to join the domain byproviding the user name and password of the account.

5. When you are finished editing the settings, click Save. If you are updating theconfiguration in real time, click Deploy. To discard any changes you have made, clickCancel. To reset the settings to the previously saved values, click Reset and then clickSave to save the restored settings.

Windows NT 4.0

To configure Windows NT for domain logons, log in to the computer asAdministrator or another user in the Administrators group, open the ControlPanel, and double-click the Network icon, click on the Network Identification tab.

Click the Change... button, and you should see the dialog box shown in Figurebelow. In this dialog box, you can choose to have the Windows NT client becomea member of the domain by clicking the checkbox marked Domain: in theMember of box. Then type in the name of the domain to which you wish the clientto log on; it should be the same as the one you specified using the workgroupparameter in the Samba configuration file. Click the checkbox marked Create aComputer Account in the Domain, and fill in "root" for the text area labelled UserName:. In the Password: text area, fill in the root password you gave smbpasswdfor creating computer accounts.


9/14

Figure: Configuring a Windows NT client for

domain logons

Built-In Global Groups

Three global groups are built in:

Domain Admins --- The Domain Admins built-in group initially contains theAdministrator account. When you create accounts for the administrators of yourdomain, you should add these accounts to the Domain Admins global group, whichis already a member of the Administrators local group.

Domain Users --- The Domain Users built-in group initially contains theAdministrator account. Administrators and Account Operators can modify thesegroups. Every user account you subsequently add to this domain is putautomatically in the Domain Users global group.

Domain Guests --- The Domain Guests built-in group initially contains the Guestaccount. Administrators and Account Operators can modify the Domain Guestsbuilt-in group.

Table 4-5 lists the types of built-in global groups, their initial contents, and who can modify them.

Table 4-5 Built-In Global Groups

Global

Group

Initial

ContentsWho Can Modify

Domain

Admins

Administrato

rAdministrators

Domain

Users

Administrato

r

Administrators, Account

Operators

Domain

Guests GuestAdministrators, Account

Operators

The following sections further explain the built-in global groups and how to use them.
http://h71000.www7.hp.com/doc/82final/6553/6553pro_005.html#gps1_tab5http://h71000.www7.hp.com/doc/82final/6553/6553pro_005.html#gps1_tab5


10/14

HP Advanced Server for OpenVMS

Concepts and Planning Guide

Previous Contents Index

4.7.1.1 Administrators

The Administrators local group is the most powerful group in the domain. Members of this group have

more control over the domain than do any other users. They manage the overall configuration of the

domain and the domain's servers. The built-in Administrator user account is a member of the

Administrators local group and cannot be removed. By default, the Domain Admins global group is a

member of this local group, but it can be removed.

In the Advanced Server, the user right "Access this computer from the Network" cannot be revoked

from the Administrators local group.

Unlike administrators in LAN Manager servers, Advanced Server administrators do not automatically

have access to every file in the domain. If a file's permissions do not grant access, the administrator

cannot access the file. If needed, an administrator can take ownership of a file and thus have access to

it. But if the administrator does so, this event is recorded in the security log (if auditing of files is

turned on) and the administrator cannot give ownership back to the original owner. For more

information about ownership of files and directories, see Chapter 6, Managing Network Shares, in this

guide.

4.7.1.2 Server Operators

Members of the built-in Server Operators local group have many of the same abilities as built-in

Administrators; however, they cannot manage security on the server. Specifically, Server Operators

can share and stop sharing a server's files and printers, and they can start, stop, pause, and continue

selected services.

4.7.1.3 Account Operators

Members of the built-in Account Operators local group can manage the server's user and group

accounts. An Account Operator can create, delete, and modify most user accounts, global groups, and

local groups. However, the Account Operators cannot modify the user accounts of Administrators, norcan they modify the Administrators, Server Operators, Account Operators, Print Operators, or Backup

Operators local groups. They also cannot assign user rights.

4.7.1.4 Print Operators

Members of the built-in Print Operators local group can manage shared printers.

If you want a domain's Print Operators to administer printers managed by Windows NT workstation

computers in the domain, as well as printers managed by the domain's servers, you must perform the

following steps:

1. Create a Domain Print Operators global group in the domain. Make this globalgroup a member of the domain's Print Operators local group.

2. Add the user account of each print operator to the Domain Print Operators group.
http://h71000.www7.hp.com/doc/82final/6553/6553pro_004.html#bottom_004http://h71000.www7.hp.com/doc/82final/6553/6553pro_contents.htmlhttp://h71000.www7.hp.com/doc/82final/6553/6553pro_index.htmlhttp://h71000.www7.hp.com/doc/82final/6553/6553pro_007.html#shares_chhttp://h71000.www7.hp.com/doc/82final/6553/6553pro_004.html#bottom_004http://h71000.www7.hp.com/doc/82final/6553/6553pro_contents.htmlhttp://h71000.www7.hp.com/doc/82final/6553/6553pro_index.htmlhttp://h71000.www7.hp.com/doc/82final/6553/6553pro_007.html#shares_ch


11/14

3. On each workstation that manages printers, place the Domain Print Operatorsglobal group in the workstation's Power Users local group.

4.7.1.5 Backup Operators

Members of the built-in Backup Operators local group have specific rights on any Windows NT Server

in the domain, but no specific rights on Advanced Server.

4.7.1.6 Users

Membership in the Users local group provides the abilities most users need to perform normal tasks.

By default, the Domain Users global group is a member of the Users built-in local group, but it can be

removed.

4.7.1.7 Guests

Differences between the rights granted to the Guests built-in local group and to the Users local groupare minimal; both groups have the right to access the server over the network. For information on the

built-in Guest account, seeSection 3.4.2, Guest Account.

4.7.1.8 Using the Operators Local Groups

As an example of how to use operators local groups, consider a medium-sized department that is

deciding how to assign its technical staff to the various administrator and operator groups.

At least one user must be an administrator. Members of the Administrators group have several unique

abilities. These include taking ownership of files and managing auditing. Because of their unique

abilities, members of the Administrators group are responsible for planning and maintaining network

security for the department. They also can be allowed to administer Windows NT workstation

computers.

If there is someone in the group who is responsible for helping new employees get started, it may be

wise to make this person a member of the Account Operators group. This account operator then can

create domain accounts for new employees and place these accounts in the appropriate groups.

If the domain's Administrators group has only a few members, you should assign at least one

additional person to the Server Operators group. The basic function of the Server Operators group is to

keep the domain servers running. This goal is reflected in their abilities to share directories andprinters on servers. If possible, at least one member of either the Administrators or Server Operators

group should be present at all hours during which people are using the network.

If the ability to print documents quickly is important to your group, you should add several people to

the Print Operators group to ensure that printer problems can be addressed quickly.

4.7.1.9 Setting Up a Universal Operators Group

If your network has multiple domains, each containing computers with shared printers, and you have a

single group of Print Operators who need the ability to administer printers in all domains, use a

universal operators group (a combination of global groups and local groups) to set this up. By doingso, you ensure that your Print Operators group is easy to maintain as your network evolves, as print

operators come and go, and as new computers or domains are added.
http://h71000.www7.hp.com/doc/82final/6553/6553pro_003.html#usects2_2http://h71000.www7.hp.com/doc/82final/6553/6553pro_003.html#usects2_2http://h71000.www7.hp.com/doc/82final/6553/6553pro_003.html#usects2_2http://h71000.www7.hp.com/doc/82final/6553/6553pro_003.html#usects2_2


12/14

Follow these steps to establish a universal operators group:

1. In each domain where accounts of Print Operators are located, create a globalgroup called Domain PrintOps and make all of the Print Operators in the domainmembers of this group.

2. In each domain where printers are to be administered, modify the Print Operatorslocal group by adding the Domain PrintOps global groups to it. Be sure to makethis change to the Print Operators local group in every domain.

After you complete these steps, every Print Operator has the ability to administer all printers.

If you also need to administer printers on Windows NT workstation computers, you will need to go a

step further, because a domain's local groups (such as Print Operators) cannot be used by Windows NT

workstation computers --- even Windows NT workstation computers participating in that domain. To

each Windows NT workstation computer with printers to administer, add all of the Domain PrintOps

global groups to the workstation's Power Users local group.


13/14

built-in local group

A Microsoft Windows NT local group created during installation that has pre-assigned

rights and permissions. Built-in local groups are used to simplify the administrative task

of assigning users and groups rights to perform system tasks and permissions to access

network resources. There are nine different built-in local groups on computers running

Windows NT:

1. Users:Contains the Domain Users global group and is used to assign rights and permissions

to all ordinary users.

2. Administrators:Contains the Domain Admins global group and the Administrator account created

during setup.

3. Guests:

Contains the Domain Guests global group.

4. Power Users:Members have the right to share folders and printers.

5. Replicator:This group is used exclusively by the Directory Replicator Service.

6. Backup Operators:Members have the right to back up and restore servers.

7. Account Operators:Members have the right to administer accounts.

8. Server Operators:Members have the right to administer servers.

9. Print Operators:Members have the right to administer printers.

The following table shows which of these groups exist within the domain directorydatabase on Windows NT domain controllers and which exist within the local

directory database on Windows NT member servers and workstations:

Built-In Local Groups of Windows NT

Built-In Local

Group

Windows NT Domain

Controller

Windows NT Member

Server

Windows NT

Workstation

Users Y Y Y

Administrators Y Y Y

Guests Y Y Y

Power Users N Y Y

Replicator Y Y Y


14/14

Built-In Local

Group

Windows NT Domain

Controller

Windows NT Member

Server

Windows NT

Workstation

Backup

OperatorsY Y Y

Account

OperatorsY N N

Server OperatorsY N N

Print Operators Y N N

built-in global group

Global groups in Microsoft Windows NT that are created during installation to organize

common groups of users for administrative purposes. These built-in global groups arecreated within the Security Accounts Manager (SAM) database of the primary domain

controller (PDC). Three built-in global groups exist:

1. Domain Admins:Initially, this group contains only the Administrator account that was created during

setup. Only people with administrative responsibilities should be assigned to this

group.

2. Domain Guests:This group contains the Guest account and is designed for organizing temporary users

of network resources and granting them access.

3. Domain Users:When a new user account is created, it is automatically added to this group. The

function of this group is to collect all ordinary users for the purpose of assigning them

permissions to resources on the network.

Lists the types of built-in global groups, their initial contents, and who can modifythem.

Table 4-5 Built-In Global Groups

Global

Group

Initial

ContentsWho Can Modify

Domain

Admins

Administrato

rAdministrators

Domain

Users

Administrato

r

Administrators, Account

Operators

DomainGuests

Guest Administrators, AccountOperators

Documents

Workgroup and Domain