Hello, My question is a pretty general one and really I'm just looking for some insight on why something is working when I expect that it shouldn't work. We have one domain controller (Server 2003) which plays host to all of the PC's at this one location, we also have 5 off-site locations that are not joined to the domain and instead operate as individual work groups. For the sake of being descriptive, all of the workstations run WindowsXP SP3. They have UNC path level access to network resources and can map drives but again, these computers and user accounts do not authenticate to the DC. We have a software program that is used at all of our locations, the software database is hosted on the DC and accessed by all of the computers in our organization, on-site, off-site, etc... One element of our software allows us to push program-specific updates to all of our workstations and we are able to select the credentials the program calls on to install the updates as soon as the end user launches the program on their workstation. Since all of our workstations have the same local Administrator account and password information (not necessarily a best practice, I know, but that's how it is) configuring the update program to use Local Administrator credentials should work to perform these installations. For the software's data folder on every users local machine, permissions are set to allow Everyone the Full Control set of permissions which is by design since they have to save images and receipts within subfolders. However, more often than not, all of our off-site locations seem to fail when these install processes start and they receive a message saying they do not have rights/privileges to perform this installation. On-site, we have no issues and the Local Administrator account information gets the job done every time but off-site it fails. Yesterday, I had a series of mission-critical updates I needed to push to 2 of the 5 off-site locations and since my only other alternative is hopping in my car and driving their in person, I elected to try one more time and throw up the hail-mary pass so I configured their setup to use the Domain Administrator's account and password instead. Since they are not joined to the domain, function as standalone workgroups with only UNC/Mapped Drive level access to network resources I assumed it wouldn't work but I phoned up one of the managers and had them launch their software and the updates installed for them without giving "insufficient rights/privileges" error. This held true for the other location as well. What this very lengthy write-up boils down to is this; Why would the Domain Admin credentials work to install software on a non-DC joined computer? The only connection that I can make between these workstations and the DC is that the software database they used is accessed via dedicated ports assigned in their host files but for all intents and purposes they are not authenticated, they are not joined and are not tied to AD in any way. Yet these credentials worked when Local Administrator credentials would not. Any thoughts as to why this is the case and any explanation as to what drives this would be greatly appreciated since I am completely bewildered - albeit pleased in this case - that this is happening. Thanks, Gabe

Hello, Thank you for your post here. From the description, you have issue that remote non-joined clients only can access and install the updates with the domain admin account even when the share on the DC is granted Everyone Full Control permissions. 1. What will happen if you copy the updates from the UNC share and install it locally? 2. Will the installation works if you provide the domain user account instead of the domain admin account? Could you please provide the detailed steps about how to reproduce the issue which I can follow to have a test on my side? If you have any questions or concerns, please do not hesitate to let us know.

Hi Miles, So far, if I take one of the .exe files for our updates and set it to a mapped drive location/UNC accessible location and Run As the local administrator on one of these computers, it works fine. I have not yet had the opportunity (or the thought, previously) to try the installation as the domain administrator on one of our non-joined workstations but I will try that today and update this post. Once I try this and get a result, I'll let you know what I've done step by step. Again, this isn't mission critical by any means but I just can't think of any logical reason that a Domain Admin's credentials should work for a non-domain joined workstation. I appreciate your response and I'll post as soon as I try it both ways to see what happens. Thanks, Gabe