Re: Running Login Script Problems
From: MatthewL (MatthewL_at_discussions.microsoft.com)
Date: 07/03/04
- Next message: R. Paulson: "Users can't see Network"
- Previous message: Frank: "Re: Bandwidth Limiting"
- In reply to: Oli Restorick [MVP]: "Re: Running Login Script Problems"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 3 Jul 2004 09:22:01 -0700
Thank you for the resolution on the scripts.
About the trojan:
I only create domain admin accounts from the server to use on the workstations. I understand what you are talking about. That's good information tho. Thank you for all you help.
"Oli Restorick [MVP]" wrote:
> Hi Matthew
>
> You will need to place it on all domain controllers, as any domain
> controller could be performing the login.
>
> The trojan issue I was referring to is that others may plant some commands
> on a workstation to run at login when a domain admin logs in to create
> themselves a new domain admin account. It's trivially easy to do and
> doesn't require anyone else to be on the network while you're logging in.
> It depends on your environment as to whether you think this is a real risk.
> If you're running a school or university network, then it's quite possible
> that you'd be a victim of this sort of attack.
>
> Oli
>
>
> "MatthewL" <MatthewL@discussions.microsoft.com> wrote in message
> news:BEA74A5B-17B4-4936-94E9-BAAFC8ADEA71@microsoft.com...
> > The PDC is the only server that has the script on it. I have not placed
> > it on the BDC.
> >
> > The special account I used is only when I run scripts. It is disabled as
> > soon as I am done with the specific task in hand. I only use it when I am
> > in the area and not for longer than I need it. I also make sure no one
> > else is on the network when I perform these tasks.
> >
> > Thank you for your response.
> > MatthewL
> >
> > "Oli Restorick [MVP]" wrote:
> >
> >> Have you replicated the login script to all your DCs' netlogon shares?
> >>
> >> If the "special account" is a domain admin account, you're asking for
> >> someone to place a trojan on one of the PCs to gain domain admin rights.
> >>
> >> Oli
> >>
> >>
> >>
> >> "MatthewL" <MatthewL@discussions.microsoft.com> wrote in message
> >> news:55FA0044-997F-47AF-AB36-72B7809BD2B7@microsoft.com...
> >> > Our current setup is WINNT Server and 2000 Professional workstations.
> >> > We
> >> > have one domain on a single broadcast domain. All the computers
> >> > include
> >> > the same image from a network deployment. Every computer also has the
> >> > exact same hardware configuration.
> >> >
> >> > This specific event will explain my question. I need to run a patch on
> >> > all my computers (30) in a lab. On the PDC, I add a special account
> >> > with
> >> > admin rights and have it run a login script. I try to login all
> >> > computers
> >> > in the room with this new account and I get the following results: The
> >> > first half of the computers login and run the script with no problems.
> >> > The remaining computers in the room do not recognize the new account.
> >> > After rebooting these computers, they will login but will not run the
> >> > script. After rebooting another time, the script still does not run.
> >> > All
> >> > the computers include the same image from a network deployment. Every
> >> > computer also has the exact same hardware configuration.
> >> >
> >> > I have been dealing with this issue for some time now and need to find
> >> > a
> >> > resolution to make things easier for me. Please let me know if you
> >> > have
> >> > seen this or know what needs to be done to change this.
> >> >
> >> > Thank you for your time.
> >> >
> >> > MatthewL
> >> > Network Coordinator
> >>
> >>
> >>
>
>
>
- Next message: R. Paulson: "Users can't see Network"
- Previous message: Frank: "Re: Bandwidth Limiting"
- In reply to: Oli Restorick [MVP]: "Re: Running Login Script Problems"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
