Re: Blocking accounts on local machine

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/12/04

Next message: Roger Abell: "Re: Local computer admin rights on a 2003 AD domain"
Previous message: Pierre: "Local computer admin rights on a 2003 AD domain"
In reply to: Luke: "Re: Blocking accounts on local machine"
Next in thread: Luke: "Re: Blocking accounts on local machine"
Reply: Luke: "Re: Blocking accounts on local machine"
Messages sorted by: [ date ] [ thread ]

Date: Fri, 12 Mar 2004 06:48:09 -0700

The login and get recycled back to the login prompt is a
normal behavior when the login setup cannot run (script
errors, failure to access needed executables, etc.)

This sounds like the GPO(s) that apply to the machine have
Restricted Groups defined, particularly for the Users group
of the local machine. If this is so, keep in mind that use of
a Restricted Group definition is giving the exact membership
in the group (and optionally of what the group itself is a member).
It is not additive to anything, but a complete stand-on-its-own
statement of the membership.

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Luke" <anonymous@discussions.microsoft.com> wrote in message
news:bda001c40817$807ef350$a101280a@phx.gbl...
> Hi Roger,
>
> Sorry, let me correct my question.  After we create a
> local account on a joined workstation, ran the secedit
> commands locally and restart the machine.  We tried to
> signon with the newly created local account, it accepts
> the uid and pswd and it prompts the typical loging status
> screen, then it shows 'saving user setting' and brings the
> screen right back to the alt-ctrl-del login prompt.
>
> So we signon to the machine w/local admin account and
> check the newly created local account's setting, we
> noticed the account does not belong to any groups.  The
> GPO has wiped out the group membership for that account.
> We tried to add back the groups but the problem reoccurs
> after reboot.  Not sure where (GPO) should I adjust to
> avoid this issue.  Thank you.
>
> regards,
> Luke
>
> >-----Original Message-----
> >Can you narrow this down.
> >When you log in to the joined machine with an admin
> >account and examine the security logs for messages from
> >attempts to log in with the previously defined local
> account
> >(assuming that you are auditing logon events) what is
> being
> >recorded ?  Anything?
> >What is the message that you recieved when attempting the
> >failed login ??
> >
> >There are a few things that might be applied from AD-based
> >GPO to control what accounts can use a machine.  However,
> >you also have said that the account seems to no longer
> exist.
> >If that is so, this is something that is not a capability
> of the GPO
> >policies.
> >
> >So, is the account gone, or just not able to log in?  If
> the last then
> >why (event log messages)?
> >
> >Examine the GPO's that apply to the machine for User
> Rights and
> >for Restricted Groups policies.
> >
> >-- 
> >Roger Abell
> >Microsoft MVP (Windows Server System: Security)
> >MCSE (W2k3,W2k,Nt4)  MCDBA
> >"Luke" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:84da01c403fb$dbe55150$a501280a@phx.gbl...
> >> Hi all,
> >>
> >> When we rebuilt a workstation we create one local user
> >> account in addition to the built in administrator.
> >> However, after joining the machine to the domain with
> GPO
> >> applied, we noticed the account created locally can't be
> >> used, it won't accept the password and we only could use
> >> the built in admin instead.
> >>
> >> We also tried to remove the machine from domain but I
> >> guess the account we'd created has been resetted by the
> >> GPO.  Anyone know which policy should I look into to
> >> prevent the local machine accounts being resetted?
> Thank
> >> you.
> >>
> >> Luke
> >
> >
> >.
> >

Next message: Roger Abell: "Re: Local computer admin rights on a 2003 AD domain"
Previous message: Pierre: "Local computer admin rights on a 2003 AD domain"
In reply to: Luke: "Re: Blocking accounts on local machine"
Next in thread: Luke: "Re: Blocking accounts on local machine"
Reply: Luke: "Re: Blocking accounts on local machine"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Weakness introduced by denying remote logins on AIX, possibly others
... AIX 4.3.3 and AIX 5.1, ... is possible to remotely enumerate the passwords of a known AIX account. ... believed to be in the response from the login program after authentication ... Give accounts that have been restricted from remote logins strong passwords. ...
(Security-Basics)
Re: Please! Doesnt anyone know a better way to do this?
... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
(microsoft.public.dotnet.framework.aspnet)
Re: Prevent Users interactive login, but allow them to run batch j
... I added the user to "Deny Login Locally" ... and to "Login as Batch Job" ... GPO in which you set these, and if there was time for the ... Just how you effect it so that the account meets those depends on ...
(microsoft.public.win2000.security)
WinXP laptop, simple-style login conn to Win2000 share, error
... So, to simplify matters, add all machines to the domain. ... local machine accounts) to keep track of... ... the local account information. ... the "pushbutton login") and configure the Laptops to auto ...
(microsoft.public.windowsxp.security_admin)
Dexia website security alert
... A few days ago I sent a mail to the Dexia bank about their ... one is for the online banking account and one is for some ... The problem with the "members' login" was that a) it was ... selected the wrong login by mistake your username and password were ...
(Bugtraq)