Re: Require Domain Controller authentication to unlock
- From: "Marc K" <marck@xxxxxxxxxxx>
- Date: Wed, 7 Oct 2009 08:11:01 -0400
If the two options operated as the documentation indicates, that could lead
to an interesting situation. The user could log in to an off-network PC
with cached credentials, but then be unable to unlock it later on.
"R. vd Horn" <RvdHorn@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5528FFAF-386A-4165-8D17-46AD2164F7DE@xxxxxxxxxxxxxxxx
Hello Meinolf,
If the number of cached credentials has to be set to 0 a DC is always
needed
to authenticate. The required DC setting would be useless (like it seems
now). The reqiured DC setting should force DC athentication even if there
are
cached credentials.
Interactive logon: Require Domain Controller authentication to unlock:
Logon information must be provided to unlock a locked computer. For domain
accounts, this security setting determines whether a domain controller
must
be contacted to unlock a computer. If this setting is disabled, a user can
unlock the computer using cached credentials. If this setting is enabled,
a
domain controller must authenticate the domain account that is being used
to
unlock the computer.
It has worked like the MS description but it doesn't anymore.
Setting the number of cached credentials to 0 works for me so i'll keep it
that way.
Thanks for your replies.
"Meinolf Weber [MVP-DS]" wrote:
Hello R. vd Horn,
If i understand both settings, there is a kind of realtionship, as long
as
you don't set it to 0 for cached credentials it will not contact the DC.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,
The GPO is fully applied and the users are all restricted users.
Whether the setting is enabled or disabled it has no effect on the
behaviour.
The only thing I can do to prevent users from unlocking the
workstation without a DC is to set the number of cached logons to 0.
This works for now but it worries me that the DC required setting
seems to be ignored.
"Meinolf Weber [MVP-DS]" wrote:
Hello R. vd Horn,
If you run rsop.msc or gpresult /v logged on as domain user, can you
see the GPO is applied with all settings? Are your users local admin?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
We have enabled the policy 'Interactive logon: Require Domain
Controller Authentication to unlock' but users can still unlock
their Windows XP workstations when a domaincontroller is NOT
present.
Enabling or disabling the policy has the no effect.
It used to work like it is supposed to and policies have not been
changed since it worked well.
Windows Server 2003 R2 and Windows XP Pro SP2 and SP3 workstations
with all the latest updates applied.
What's wrong here?
.
- References:
- Require Domain Controller authentication to unlock
- From: R. vd Horn
- Re: Require Domain Controller authentication to unlock
- From: Meinolf Weber [MVP-DS]
- Re: Require Domain Controller authentication to unlock
- From: R. vd Horn
- Re: Require Domain Controller authentication to unlock
- From: Meinolf Weber [MVP-DS]
- Re: Require Domain Controller authentication to unlock
- From: R. vd Horn
- Require Domain Controller authentication to unlock
- Prev by Date: Re: Uninstall remotely
- Next by Date: Re: Office 2003 Autoarchive Policy
- Previous by thread: Re: Require Domain Controller authentication to unlock
- Next by thread: Disable RSS Feeds on Outlook 2007 with Group Policy
- Index(es):
Relevant Pages
|
