Re: Forcing mobile users to log into Domain account when in workplace

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance


"Chris P" <chris@xxxxxxxxxxx> wrote in message
news:1179575616.802435.271990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks for your reply Martin.

The idea behind the usage of two separate accounts on each user's
laptop is more of a practical sense.

Generally it is not a good idea. Two profiles, two sids with differing
ownership/permissions, etc.

The local (laptop) account will be used when the user is at home. The
user has the ability to install applications he might want to use at
home. This gives him the ability to work with the machine almost
without limitations.

If you allow this, you might as well allow the use to install them for
both accounts -- or rather for the ONLY account.

The local user account will be part of the 'Power
Users' of the local machine.

Just make the domain account a Power User.

The domain account is to be used only for work. The user won't be able
to install any programs that are not related to his working
environment.

So what, he has the other account and can run whatever he wishes from
it -- anytime. It just isn't convenient.

The domain user has no additional privileges to install
or change settings under the domain account - restricting considerably
how much he can do, that's not related to his work.

With RunAs he can probably do most anything either account allows --
again, it just isn't convenient. There is no real security advantage to the
restricted settings once you give out the other account.

I need to figure a way to force the user log into his domain account
when he connects his laptop at the office, not allowing him access to
the local computer account.

Take away the local account -- it's the right thing to do anyway.

As a side note, I've been also looking into 802.1x, which looks
promising, but the problem with it is that when enabled, it works for
all accounts on the laptop. As an alternative, if I could enable
802.1x only when the user is logged into his domain account (locally
cached as you mentioned), then he can enter his username / password
and gain access to the network. If he logs into the local user account
and the 802.1x is disabled for that account, he can't join the
network.

Your thoughts and comments are appreciated.



.

Relevant Pages

  • Re: Get "credentials not valid" message installing SQL2008 Failver
    ... The user account (domain account) has to be pre-created. ... The network name gets created during the install process. ... Microsoft SQL Server MVP ...
    (microsoft.public.sqlserver.setup)
  • Re: Windows XP Professional: Admin Disabled
    ... The laptop didn't come with a CD. ... It's a Toshiba, and oddly enough, the sticker says that it's Windows XP Home ... The Belarc thing wouldn't install after saving to my desktop. ... Create a new Admin account and then install ...
    (microsoft.public.windowsxp.general)
  • Re: Client Installation Issues: SMS 2.0 SP5
    ... we are using SMSMan to install these... ... is if I have local admin rights on the machine PLUS access to the domain (IE ... get this to install right is to use a domain account that has local admin ...
    (microsoft.public.sms.setup)
  • Re: Access to XP Home PC
    ... auto login to this account, presumably because it was the only one. ... I have to get some documents off the laptop quite urgently, ... XP install you simply need to take ownership of them. ... If you can't even get into the built-in Administrator ...
    (microsoft.public.windowsxp.general)
  • Re: Local System account.
    ... However, in a Domain environment, you should use a domain account for SQL Server. ... When I tried to install under local system it gave me access error but I installed under a user which has administrative privileged it installed perfectly, now the question is if I want to install under local system how can I give full permission to local system account as I installed SQL Server via administrative account and I don't have a domain. ...
    (microsoft.public.sqlserver.clients)