What happens when a computer joins an Active Directory domain?
What changes are applied to a client when it joins an AD domain?
How is a domain member supposed to behave when disconnected to the network? Are users able to login? Will domain user policies still apply when off network?
If you know of a comprehensive resource that provides a comprehensive introduction to Active Directory, please post them.
Thanks
Solution 1:
The reason you can still login is because your account is cached on the computer. It is in fact supposed to work that way. Otherwise you'd never be able to use a laptop off the network without having a local account on it. Which in an enterprise would be a nightmare.
When you log into the domain the first time a bunch of information about your account and it's privileges along with any Group Policy Objects (GPOs) get configured. That is why the first login takes so long.
Joining a computer to an AD domain creates an account in the domain for the computer. This allows the computer to exist as a controllable, configurable, authenticated, individual in the domain. This means you can force policies about everything from desktop appearance to windows updates to anything configurable in windows to the client, and it can be changed relative to the user logged into the client as well.
Here is Microsoft's documentation on how login works with 2003 technet article about login
Solution 2:
When a computer is joined to a Windows domain, all sorts of things happen. The most important ones:
- User accounts in the domain become valid users on the system and can logon to it (unless restrictions apply).
- Domain administrators acquire administrative rights on the system.
- The computer itself gets an account in the domain, and uses it to authenticate against other computers.
- Local user accounts remain active and can stil be used to logon to the system; they're not recognized by any other computer in the domain.
- The computer name gets registered in the domain DNS (if it supports dynamic updates, which it should).
- Group Policies defined in the domain and targeted to computers affect the system.
- Group policies defined in the domain and targeted to users affect any domain user who logs on to the computer.
When the computer is member of a domain but can't connect to a domain controller, it can't validate user credentials, so any domain logon is going to fail; the exception is the last logged on user, which is by default cached and remembered, and can still succesfully logon. So, if the last logged on user was DOMAIN\UserA, a disconnected logon with the same user account will succeed, but a logon with, say, DOMAIN\UserB will fail. (This behaviour is configurable via policy).
Group Policies remain applied even in a disconnected scenario.