Moving from domain to workgroup

September 18, 2012 at 08:19:12
Specs: Windows 2003 SBS
I have just started to manage the computers for a small company (1 fileserver, 5 clients). The person who set up their systems put Win 2003 SBS on their server and WIn 7 everywhere else. They don't make use of 95% of what this kind of environment provides. It is much too complicated for what they need. What I would like to do is switch their server over to Win 7 and just put them in a workgroup. I know that they will not be able to log into their PCs using the domain login/password once their PCs are removed fro the domain. How do I get them back into their PCs with the same local environment that they had before or is that even possible? I want things to change as little as possible on their PCs. They don't deal well with change :-)

See More: Moving from domain to workgroup

Report •

#1
September 18, 2012 at 09:21:44
I'm left wondering what problem you believe will be solved by downgrading to workstations, or are you just trying to force change on people who don't deal well with change?

How To Ask Questions The Smart Way


Report •

#2
September 18, 2012 at 09:50:12
It will reduce the complexity of their server immensely, thus making administration of their site much simpler for them. They have very basic server requirements: make documents available on the network, do a daily backup and maybe run a Quickbooks server. They use their client PCs to email, browse the web, create/edit/print documents. They don't need AD, Exchange, etc. All they really care about is that they can run a few applications, access their files and use inter internet. Looking at it from a server perspective, obviously a lot of things will change. But from a client perspective, I think that I can be done in a way that would be virtually invisible to them. If need be, they can deal with a little change if it is presented to them in a simple and straightforward way. They're not stupid, they just aren't very computer savvy.

Report •

#3
September 18, 2012 at 10:23:54
If the current environment is running well, don't touch.
"Never touch a running system!"

I suspect that you want to change it, cause you don't have knowledge to manage it.

Correct me, if I'm wrong.


Report •

Related Solutions

#4
September 18, 2012 at 10:58:19
They didn't need Windows 2003 SBS when they got it and they don't need it now. Being that this is a Windows 2003 forum, I can see why you might disagree. I have no problem with that. And no, I do not have a great deal of experience in this area. But I have been a computer engineer for over 25 years and am capable of dealing with systems such as this with a bit of support from time to time. I understand that the amount of time that I have worked with computers doesn't necessarily correlate with actual ability. I can't prove anything to you regarding this, so believe what you will.

Their installation is old and somewhat unstable. I've done various things to improve it's stability, but it is still not completely stable. Since I was not privy to all of the things that have been done to the server since I was introduced to it and the instability is very hard to pin down, I feel that things would be best served by reloading the system and starting anew. I will then know exactly what is on the server and what has been done to it's configuration. I don't feel that it would be in anyone's best interest to spend time shoring up an old, shaky server. I could put Windows 2003 or 2008 on the server, but they do not need it. It is overkill.

You may or may not agree with what has been written above. But I didn't come here to debate the virtues of Windows 2003. All I really wanted is an answer to my question. Your suggestions are more than welcome, your criticisms aren't. Really, for people like you who I'm sure know a great deal about Windows 2003, I'm sure that this is a very simple question.


Report •

#5
September 18, 2012 at 11:22:35
You didn't mention, that the system is unstable.
So it haven't made sense to me, to change the system, when it's setup correctly and running smoothly.

And therefore I suspected, that you wanted to change their system, to be able to manage it.

It is not my intention, to offend you.
Sorry if it sounds like.


Report •

#6
September 18, 2012 at 12:21:27
Sorry if I was too brusque - you didn't offend me.

Report •

#7
September 19, 2012 at 07:43:56
They didn't need Windows 2003 SBS when they got it and they don't need it now

I'm sorry but this is a personal opinion and has nothing to do whatsoever with the question of which is more appropriate in this situation, a workgroup or a domain.

And no, I do not have a great deal of experience in this area.

This then is the crux of the issue. It's not a case of whether a workgroup is better suited to this client than a domain, but is instead a case of a lack of experience and knowledge on your part in administering an AD integrated domain.

But I have been a computer engineer for over 25 years and am capable of dealing with systems such as this with a bit of support from time to time.

Length of time working as a computer engineer is irrelevant. I spent the first 10+ years as an administrator in small, medium and large environments. I would probably not be suited for what you do. The phrase "computer engineer" implies you work at building/creating hardware. That or it's a fancy term for someone who works on a bench putting systems together. If the former, I'm not qualified. If the latter, been there done that.

I realize you're feeling like you're being criticized (you said as much) but you're not. This is the plain bald truth here so stop being so oversensitive and listen.

You don't truly understand the difference between a domain and a workgroup. If you did, you would leave the setup as it is. There's an old adage I live by, as do most computer people and that is, "If it ain't broke, don't fix it" If you start changing this network to suit your skill set, you're going to screw it up and make a mess and either spend a long time trying to get it back to working properly, or, you'll have to hire someone who does know what they're doing to fix it for you.

Since I was not privy to all of the things that have been done to the server since I was introduced to it and the instability is very hard to pin down, I feel that things would be best served by reloading the system and starting anew. I will then know exactly what is on the server and what has been done to it's configuration

Again, this is your lack of knowledge/experience speaking. Anyone qualified could look this system over and see how it's setup and work with it. It's your unqualified opinion that this setup is "shaky" when in reality it's your skill set that's "shaky"

How is the system unstable? What is going wrong, what isn't working? Provide us with that information and we can probably help you fix the issue.

I once setup a brand new server for a small company that was about the size of the one you're talking about. The guy they'd hired originally to setup their first "server" and windows domain sold them a desktop PC that didn't even have RAID capability and told them it was a server. Still, it worked ok for a couple years but in a very short time, their databse outgrew the hardware and they contacted the company I worked for at the time to sell them a new server.

I helped them pick a server appropriate to their needs and set it up, configured the RAID, did the burn in tests, installed and configured the OS (2003 SBS). Then, I had to recreate their domain on it because they didn't want the name to change. I did so, ported all user accounts, data and the database itself over to the new server and all I had to do was add the client computers to the domain and they were back up and running.

It sounds easier than it is, it took a lot of hours and labbing/documenting every step in order to do it without any problems.

There are good reasons for this to be setup as a domain.....the biggest being centralized administratrion of users and resources. Again I'm going to say, without meaning to be insulting or rude, you're obviously in over your head, do yourself and the company in question a favor and tell them so and have them hire someone who is qualified and capable.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#8
September 19, 2012 at 08:24:11
My side of things is opinion and yours is 'plain bald truth'. Nice. And your ability to see the future with such clarity is amazing also. I know the benefits of a domain, but in this situation I don't want one. Just because we don't agree doesn't make you right and it doesn't make me wrong. If I had come here and asked advice about how to stabilize my server, then all your concern would be great - more than welcome. But I didn't. I just asked a simple question. Maybe it made me look like I didn't know what I was doing, but I do. Not as much as a seasoned WIndows administrator for sure. Again, i'm not a Windows server expert by any means.

It would have been a lot nicer it things had gone something like this:

"Hi. Here is the answer to your question. But make sure that you are doing this for the right reasons. You will be losing a lot of functionality by dissolving your domain. Feel free to ask more questions if you are not sure what to do."

See. Simple and helpful at the same time. No 'trying to force change on people' or 'you don't have knowledge to manage it'. There is often more than one correct answer to a problem and it isn't always yours. But I shouldn't have to argue any of this, because I just wanted an answer to a simple question. A question that I got a helpful answer to on a different forum in about 30 minutes.

Thanks for the great welcome for a first time poster. You don't have to post anymore, because I will no longer be monitoring this forum.


Report •

#9
September 19, 2012 at 10:01:30
Maybe it made me look like I didn't know what I was doing

There's no "maybe" about it. You're in over your head and should back out of this before you eff it all up for the client.

There is often more than one correct answer to a problem and it isn't always yours.

True.....and the same applies to you.

The correct answer in this case isn't to bring something in existence that's working down to a level with which you're able to administer it. The correct answer is to politely back out because you're out of your depth and let the company in question hire someone qualified to administer what they have now. OR, you could learn what you need to in order to administer this domain as-is.

Thanks for the great welcome for a first time poster. You don't have to post anymore, because I will no longer be monitoring this forum.

Oh, I suspect you'll be back at least one more time to read my response. I notice how carefully you didn't say what it is you do exactly so I'm guessing in your case "computer engineer" really means you can build computers and troubleshoot hardware/software issues....which explains your position on this particular domain.

Above you said, "It is much too complicated for what they need" Simply put "No, it's not." From an end user point of view....and taking into consideration we're talking about "average" computer users here, not people like me, they will see no difference from a client workstation perspective between domain or workgroup. The big difference is from the administration perspective. Workgroup = more work, Domain = less work.

My final word on the topic is, never be afraid to learn. There's nothing in the world stopping you from learning what you need to know to administer this domain as is. I suspect you're intelligent enough to learn what you need to quite easily. All you need to do is make the effort.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#10
September 20, 2012 at 10:34:52
So ragging on the OP is boring, even if his idea is bad and he's being needlessly defensive.

As a thought exercise, what would you need to do in order to decentralize?
• Print servers
If they're Windows based, they'll need their Guest account enabled and their printers set to allow Everyone print access. They'll need to be dedicated to printing, if just for security concerns, so if they were doing anything else (file sharing), they won't be now. You might want to modify the gateway's firewall's rules to forbid any Internet traffic to/from the print servers. You can patch the OS either though off-line patches, or by enabling access during the patch cycle.

• File servers
You'll need to create a local account on each file server for each user. Each user will have to sign into each file server and set their password to the same password as the local machine. For this reason, password expiration is out of the question. Password complexity rules as well, otherwise you risk users writing down a password that never changes. You'll also need to change the ACLs for the files, as mentioned below.

• Local accounts
Obviously, you'll be re-creating accounts locally (probably multiple times, per above), and there's no link between the AD account and the local account.
  ◦ User directory - As <username> is already taken, expect the new directories to be <username>.<computername>. I doubt the users will notice, but this will make your task more difficult.
  ◦ Settings - Easy enough to export from the old account and import into the new account. Be weary, as some settings will reference files in the old path. Don't be surprised if, say, MS Office refuses to run after the migration.
  ◦ Documents - Should be easy enough to copy over to the new profile. After you fix the ACLs, of course.
  ◦ %AppData% - Should be easy enough to copy over to the new profile. Be weary, as some files might reference other files/directories in the old path.
  ◦ File Encryption - Decrypt all files before starting. The decryption key is stored in AD, and AD's going away. Users can re-encrypt after the migration.
  ◦ File Access - The big one. You'll need to go though each directory and each file, looking for the old SID in each ACL and update it to the new SID. Every utility I know that performs this is designed to go from Workgroup to AD, or from AD to AD. I don't know if they'll go from AD to Workgroup. If this was on the Programming forum, I'd tell you to use *KernelObjectSecurity() functions to read, check, and modify the ACL.


Anyone else have any concerns I'm forgetting?

How To Ask Questions The Smart Way


Report •

#11
September 20, 2012 at 12:14:19
If attempting to teach somebody something is "ragging on them" then I guess I'm a bore.

The best help I could give this person was the advice I did give them.....learn what you need to or admit to the company you're in over your head and let them hire someone qualified.

If you wish to help someone who's already said they won't be back, feel free. But I suspect it'll be somewhat like the sound of one hand clapping.

As for your thought experiment. All you need to do is reinstall the OS on the server and do not promote it.....voila, a workgroup.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#12
September 20, 2012 at 14:22:35
Telling someone? No.
Being the third person to do so? Possibly.
Using the verb "teaching?" Probably.

As for your thought experiment. All you need to do is reinstall the OS on the server and do not promote it.....voila, a workgroup.
Q: At what step do you apologize for destroying their business data?
A: After discovering their backups are 6-12 months out of date.

How To Ask Questions The Smart Way


Report •

#13
September 21, 2012 at 08:45:20
I've read enough of your posts over time to know you generally know your stuff. Your initial response to this OP and his question leads me to believe you feel as I do, that downgrading a domain to a workgroup isn't the right answer.

Yet here you are suddenly defending him.

So I'm left to conclude you have an issue with me in particular since that's who you've been responding to your last few posts.

Have I done something to offend you?

To the best of my knowledge I haven't.

As to:
Q: At what step do you apologize for destroying their business data?
A: After discovering their backups are 6-12 months out of date.

I will point you back at a previous response of mine which you seem not to have read and I'll quote the pertinent paragraph for you so you don't have to go looking:

Recall I said:
"I helped them pick a server appropriate to their needs and set it up, configured the RAID, did the burn in tests, installed and configured the OS (2003 SBS). Then, I had to recreate their domain on it because they didn't want the name to change. I did so, ported all user accounts, data and the database itself over to the new server and all I had to do was add the client computers to the domain and they were back up and running."

Does that sound like I wouldn't do backups and ensure there was no loss of data?

Since the OP isn't coming back to see this thread, I would respectfully ask you to PM me if you have an issue with me and we can continue this conversation in private.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#14
September 21, 2012 at 09:27:10
Yet here you are suddenly defending him.
No I'm not. Where in my posts do I say he should do this or that it's a good idea? Difficulty: Directly quote it. Optional: In a PM.

How To Ask Questions The Smart Way


Report •

#15
September 21, 2012 at 16:26:47
No I'm not.

Well, if you're not defending him then please explain why you're coming after me in this fashion.

Unless this person is a personal friend or familiy member of yours, I fail to see why anything I might say to him would upset you to the point where you feel it necessary to come after me out as you've done.

Again I'll ask you, have I done something to offend or hurt you?

If I had done so on purpose I'm sure I'd remember but I have no memory of ever insulting you or giving you cause to dislike me. I know I have nothing against you and any time we've had conversation here on CN I thought it was always amenable. If I have offended or hurt you it was accidental and I'd like to make amends so please tell me what I've done and we'll talk about it.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#16
September 21, 2012 at 16:48:49
Again I'll ask you, have I done something to offend or hurt you?
Eh? Where do I say I'm upset or offended? Unless you mean calling a dog pile boring? Or mentioning that calling an on-line argument "teaching" is not helpful? I wouldn't consider either of those to be a personal attack. I apologize if I've upset or offended you?

How To Ask Questions The Smart Way OH GOD I'M SO CONFUSED!


Report •

#17
September 22, 2012 at 07:08:07
From what I can see, and read, neither you nor paulsep was "dog piling" on him. Neither of you were rude, aggressive, insulting or even sarcastic. You simply tried to help him.

I don't consider me telling the guy he's in over his depth doing so either. Even if I was the third person to come in this thread and comment. It's not unusual to have more than one person chime in and try to help. I supposed it could be taken that way if you wanted but you can't argue I expressed a valid point.

I'm sure you agree with me that he shouldn't be downgrading this domain to a workgroup just because he doesn't understand how to administer a domain. Lke me, I know you understand the benefits of a domain over a workgroup and why even in a small environment like this, a domain is preferable.

I may have responded in an aggressive, sarcastic fashion, if I did it wasn't intentional. I was simply trying to tell the guy he should rethink the situation and either educate himself or step out of the equation.

No, you haven't offended me. Due to things happening in my life in recent weeks I'm likely a little "oversensitive" and may have taken what you said a whole lot more personally than you intended. As it is, I'm struggling at times to maintain focus and not let "life" cause me to lose track of what I have to do every day. In all honesty, I come here as much because it gives me a "break" as to help and learn.

Anyhow, I think it's "nuff said" and I suspect it's me who must ask your forgiveness for taking what you said the wrong way.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

Ask Question