Geek pop quiz.

[theweaselking]

I have one laptop. It can have as many accounts as it needs. I need it to be able to log in to one domain when it needs to and, at other times, log in to different account names on different workgroups.

Account A is part of Domain A and logs into the Domain
Account B is not part of a Domain (and so logs into the local machine), but is a member of Workgroup B
Account C is not part of a Domain, but is a member of Workgroup C

Is there an easy way to do this in XP Pro? How about Vista Business? Is it as simple as setting the Computer Name settings for each account?

Comments

[drjamez.livejournal.com]

The short answer: no, it's not that simple. Microsoft designed the professional workstations to belong to only one workgroup or domain at a time. (You can always log onto the local computer workstation and see if that helps, but you're looking to switch between three networks, not two, which makes this tricky.)

One possible solution, if all three networks are on the same wire, is to use a registry hack to allow multiple domain/workgroup browsing.

http://www.pctools.com/guides/registry/detail/1185/

If the domains/workgroups are not on the same wire, then you'll need to change the workgroup/domain name every time, which is more cumbersome and not the solution you seek as you will likely need to rejoin Domain A every time.

However, there are some software vendors that offer an alternative; a tool that can store and reset certain parameters based on the network YOU wish to join. This site claims to offer a "fully functional unrestricted version" of just such a tool for free downloading.

http://www.mobilenetswitch.com

This might be the solution you need, but your mileage may vary.

Good luck,
- James -

[cloverkill.livejournal.com]

Shoot the hostage.

Don't do anything fancy.

[mhoye.livejournal.com]

Join it to domain A, and use network drive mappings to get to the resources you use in the various workgroups. You can do that from multiple accounts, but assuming there's no drive-letter collisions (or that you don't care about relettering them) you can do that from just the one account, too. Cached credentials means you don't need to be connected to the domain controller to log in locally, wherever else you happen to be.

[ex-cerebrate131.livejournal.com]

I would recommend mhoye's solution below, myself, but I just feel the need to add that "Microsoft designed the professional workstations to belong to only one workgroup or domain at a time." is for the reason that allowing multiple domain memberships creates a security hole big enough to drive small planets through, so that's pretty much not going to change, ever.

Re: Don't do anything fancy.

[theweaselking.livejournal.com]

Yeah. The frustrating factor comes with Samba shared folders - Windows automatically sends your login credentials to them even if you've told it to use an alternate username and password.

Really, your suggestion was my plan. I just was hoping not to use it.

[theweaselking.livejournal.com]

I don't want multiple domain memberships. I just want to take my machine to a different office, log in to the local machine, and have the Workgroup setting changed without my needing to reboot.

Only one location has a Domain, and so only one Domain membership is needed.

Re: Don't do anything fancy.

[elffin.livejournal.com]

"Samba shared folders - Windows automatically sends your login credentials to them ..."

o.O

jesuschristonapogostick. Security hole big enough to drive planetoids through from Windows95! I had thought that would have been fixed ... by ... now.

Oh, right. This is the same OS vendor that gets pwned by animated cursors.

[ex-cerebrate131.livejournal.com]

Well, for explicity, as workgroups are like crippled domains in some crucial ways, you'd get a slightly smaller security hole if that was allowed, and so they don't allow that either.

[drjamez.livejournal.com]

Domains and Workgroups function similarly on one level, coding and security-wise. In order to be in a workgroup, you need to leave the previous Domain (just as you'd need to leave the previous workgroup). While only one Domain membership is needed in your situation, you can't (normally) switch between Domains and Workgroups for security reasons.

One "hack" is to name the workgroups the same NETBIOS name as the Domain. The workgroup will see such a PC as a workgroup membership because of the naming convention. That might not be possible, of course, but if you control at least one of the workgroup names, you can generally make life easier for yourself by matching the Domain name.

Having worked with Samba, it can be a real bitch to do this unless you are willing to lower the security settings on the Samba share (not my advice).

If you can't just make network connected drive mappings function without being part of the local Workgroup, check out the second link I posted. It supposedly allows just such a "switch" without rebooting.

- James -

Re: Don't do anything fancy.

[ex-cerebrate131.livejournal.com]

That would be because Samba, which until 4, a.k.a "While we welcome your interest in Samba 4, we don't want you to run your network with it quite yet.", only supports the archaic version of the protocol that you have to reenable explicitly in all current versions of Windows, and was recommended to disable in Windows 2000. "Because it's obsolete and insecure and no-one should ever use it, except during transition away from things that can't do any better and won't be upgraded," to paraphrase the initial line.

Hardly Microsoft's fault that it's taken Samba until 2007 to grok Windows 2000-era Kerberos-based login, now is it? True, reverse engineering hard, but MS published the spec for their variant on standard Kerberos many years ago, and Kerberos has been around for a Damn Long Time.

Just to inject the odd fact here, and all.

Re: Don't do anything fancy.

[theweaselking.livejournal.com]

The problem is that in User mode, Samba does not allow access to anything, not even "guest" shares, without a valid samba username and password. This is annoying but fine, Windows has a nice function to send a different username and password when you map a network drive...

...except that Windows, up to and including XP Professional SP2 patched to the gills, most often *doesn't* send that username and password when it tries to connect, and it doesn't prompt *you* for a username and password to send, either. Instead, it sends the credentials of the currently logged-in user, and, if those fail, then pops up a window prompting the user to put in a username and password.

You don't actually have to re-enable anything in Windows to make it connect to a Samba share. It follows exactly this behaviour, right out of the box on a fresh installation of XP Pro SP2.

I frankly fail to see how this is Samba's problem. This is Windows failing to respect what username and password I told it to use when connecting to that share, and this is Windows sending my credentials to the share server by default

Re: Don't do anything fancy.

[elffin.livejournal.com]

Oooh, that's nifty. I didn't have much sleep last night and read "Samba" as "Microsoft's SMB protocol" and was questioning my own knowledge and experienced based on that mis-read.

heeheehee thanks. I wonder what else my sleep-dep has led me to mis-perceive.

Re: Don't do anything fancy.

[elffin.livejournal.com]

Ooooh.

Damn. Tomorrow when I'm more awake I am going to have to dig - I'd like to not have someone drop a random *nix box on my network with a Samba share and cull through the logged-in usernames and passwords (or hashes) of anyone attempting to connect to it.

Re: Don't do anything fancy.

[mhoye.livejournal.com]

You should know that there are still race conditions in Windows drive-lettering scheme - hotpluggable devices can lose out to network shares or vice versa in their quest for a drive letter. Instead of just giving the next available letter out, Windows fails that process silently and all the user gets is the impression that their USB key is broken. The fix is quick, just go into drive-management and assign a new letter, but knowing what's going on is a big time-saver.

Re: Don't do anything fancy.

[theweaselking.livejournal.com]

I do know that, but thanks.