Re: Local Logon Prevention in W2K / XP

From: FriedTurkey (FriedTurkey.1je0d6_at_mail.webservertalk.com)
Date: 01/24/05

• Next message: tlviewer: "inplace upgrade on dual boot"
• Previous message: S.J.Haribabu: "RE: group policy folder redirection"
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 24 Jan 2005 15:37:12 -0600

In Local Security Settings, under Security Settings/Local
Policies/Security Options, find the policy:

*Interactive Logon: Number of previous logons to cache (in case a
domain controller is not available).*

Set this value to 0 to disable policy cacheing.

Fraser Dickson wrote:
> *Have you tried to enable to the "Always wait for network
> at computer startup and logon".
>
> You can access it under Local Computer Policy - Admin
> Templates - System - Logon
>
> By default, Windows XP does not wait for the network to
> be fully initialized at startup and logon. Existing users
> are logged on using cached credentials, which results in
> shorter logon times. Group Policy is applied in the
> background once the network becomes available.
>
> Regards,
> Fraser - MCP
>
>
> >-----Original Message-----
> >Does anyone know of a way of preventing local logon to a
> machine? Here is the scenario.
> >
> >The computers are networked and GPO policies are in
> force which prevent access to certain portions of the
> computer. However, if the user unplugs the network cable
> the system lets them in after a couple of error messages
> about roaming profiles. Once the logon procedure is
> complete the users can do almost anything they want to
> the local machine... remove software change administrator
> accounts etc.
> >
> >I have edited the local policy to "Log off user if
> roaming profile fails" as I thought this was the problem
> but it is being ignored.
> >
> >I also tried "Deny logon locally" but then the domain
> groups I denied cannot logon interactively whether the
> network cable is unplugged or not.
> >
> >What I want to achieve is to deny local logon to any
> user when the network cable is unplugged. So that they
> are forced to authenticate through the network and hence
> the GPO restrictions will be in place. Can this be done?
> >
> >Thanx in advance
> >.
> > *

--
FriedTurkey
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message156359.html
 

• Next message: tlviewer: "inplace upgrade on dual boot"
• Previous message: S.J.Haribabu: "RE: group policy folder redirection"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint