Why join a domain (from user's point of view) if user can map drives and add network printers without joining?

25
2014-01
  • user197617

    I know policies can be imposed from a network administrators point of view to make things easier to manage and control, but what does a user lose out on by not joining a domain?

    For example, let's create a user account on the company domain as follows: domain "Company" username "John" password "password"

    And let's set up a machine as follows: workgroup "Workgroup" username "John" password "password"

    Since local and domain credentials are the same, "John" can map shared resources on the domain and add network printers (apparently without the need to provide credentials when doing so). Furthermore, "John" might be able to simultaneously access shared resources on any other domain, providing his credentials are the same on these other domains.

    "John" would still be limited by what his domain user account permissions allow on the domain, but I gather would be free to do as he pleases on his local machine.

    Regardless of whether my domain is set up properly or not (for the time being), what downsides exist for John's computer not being on the domain (again, from the user's point of view)? One thing that comes to mind is a roaming profile...what else is there?

    • Answers
  • Jonathan

    I've seen this practice called "mirrored accounts", and used when networking/policy prohibits domain joins. However, off the top of my head:

    • The user can't change his domain password from his machine. If the domain requires periodic password changes, the user may get locked out.
      • Even if he manages to, he must also change his local password at the same time.
      • Other apps (Outlook with Exchange, Lync) will probably need the password entered - and updated - separately.
    • A domain-joined machine gets corporate domain policies, which the user may consider a benefit (or not).
    • If the domain uses transport-layer IPSEC, the non-domain-joined machine won't be able to connect to domain-joined machines (expect designated boundary machines, like the DC itself - so it can join in the first place).

    • Related Question

    Can you share a LAN printer from a Windows 7 homegroup to a Windows Vista domain?
  • Mark Rogers

    I have a work laptop computer at home running Windows Vista that is on work domain group that it uses when it connects to a work VPN. The laptop is on a local LAN that has a connection to the internet, the LAN also a desktop running Windows 7 with a printer on a workgroup.

    Can I print from my work domain laptop to my home domain desktop printer?

    Is there any free software that can let me do this?


    • Related Answers
  • Iszi

    You should be able to share out a printer on your home LAN, and have it accessible by any computer on that network. If both are running Windows XP or later, no special software (other than perhaps drivers) should be required.

    The only limitations would be those that may be imposed by group policy (preventing you from installing things to the work laptop) or by your VPN service (preventing you from accessing resources on the LAN while connected to the VPN).