Setting Up A Domain Or A Workgroup? Plan For The Future

If you have just one computer, you have the beginnings of a network. With two computers, you definitely have a network. With three computers, you have a workgroup. Beyond that? Consider the benefits of a domain.

Look at the members (people) in your workgroup. Remember that the purpose of networking computers is to share resources (data and / or printers). Do you have a group of people who trust each other, totally, with all shared resources? If so, then you can setup an open workgroup, with no reservations. And you can, generally, use Guest authentication.

If you can't trust everybody with all shared resources, you will have to setup non-Guest authentication (who is this person?) and authorisation (should this person access this resource?). Without a domain to provide authentication, you have to setup an account for each person on both one or more clients, and one or more servers. With a domain, it's simply a matter of adding one more domain account.

Account and password maintenance, in a workgroup environment, can be a real experience.

  • You have to create an account, with an identical password, on each client and on each server.
  • You have to change a password on each client, and each server, simultaneously. The account owner has to be logged off on each client, while you do this, or face password conflicts.
  • When somebody leaves the group, you have to delete their account on each client and server.

With a domain, again just add an account, change the password, or delete the domain account.

Will you possibly have people sharing each others computer from time to time? Will you have people accessing shared resources on more than one computer? Will you have group turnover, where one person leaves the group, and is replaced by somebody else? Will you have staff sharing each others account / password (you know folks shouldn't share passwords, but eventually they will).

For that matter, how does a workgroup member change his / her password, on the servers? Surely you wouldn't want each person walking up to the server, and logging themself in, locally, for a simple password change?

And how about the need for one person to have unrestricted access to each computer? Any LAN of any size needs an administrator. The administrator account has to be on each computer. Proper security procedures demand regular changing of the administrator password - but how do you do that on each computer?

Besides the people related issues, how about the network layout? Is your workgroup likely to span multiple subnets? If so, you will need a domain. Be aware of issues involved with Browsing Across Multiple Subnets.

There is one show stopper here. If you have computers running XP Home, you might as well stick with the workgroup. Computers running XP Home can't join a domain.

Now, setting up a domain shouldn't be done casually. The initial expense, and setup, of a domain, is significant. Minimally, you need:

  • A dedicated server (not shared as somebody's desktop computer).
  • A server Operating System.
  • Server administration techniques. Since the server is depended upon by each person, it is proportionally more important to keep it secure and stable.

Setting up Server 2003, and a domain, is a lot more work than setting up a single Windows XP host. Maintaining a server is a little more work than maintaining a single personal computer. But, as soon as you see how simple it is to add or update a new person in a domain, compared to adding or updating multiple clients and servers in a workgroup, you'll see that it's worth the initial and ongoing complications.

In short, a workgroup setup makes sense for a group that is:

  • Trusting of each person.
  • Small.
  • Doesn't share multiple resources.
  • Static.
  • Mostly computers running XP Home.

My personal experience? If you have more than 4 or 5 computers or people, you will, eventually, end up with one or more problems with the limitations listed above. You can maybe work around each of those limits procedurally; and if you have enough time and patience (by the staff, and whoever maintains the LAN), none of them will matter too much. If you need to move somebody from one computer to another, you can use the File and Settings Transfer Wizard to make the process almost scriptable.

But, if you have ever administered a workgroup of any size, with any staff turnover, secreting of data, and / or sharing of computers, you will know that a domain, with a simple procedure to setup and maintain each account, makes more sense in the long run.