Re: Group Policy Lofon Script

If that is the case, these Vista (business edition) machines may have been
setup incorrectly. As I indicated earlier, the machines are connected to a
corporate LAN, so during initial setup, a network cable was connected. During
setup, each computer was given a name (eg. LocalVista), and an
'administrator' account (jdoe) had to be setup, based on the initial
configuration screens. After setup was complete, the 'secret' administrator
account (ala XP) was enabled, the LAN's administrator account (Snoop) was
added as an administrator on LocalVista, and the jdoe account was deleted.
This should have left us with Snoop as the only account on LocalVista. To
login to the corporate domain, users have to input their username/password,
with the username in the username@domainname syntax. When users use the
correct username syntax, the name of the corporate domain appears under the
username/password fields. What we're finding is that when users forget to use
this syntax, and enter their username WITHOUT the '@domainname', LocalVista
appears below the username/password fields and the user is logged in. Mind
you that if Snoop (corporate and LocalVista administrator) logs into
LocalVista, that account is the only one listed under User accounts.

"Costas" wrote:

If the user doesn't have a local account, they won't be able to log in
locally to the computer. Let's say you have a user account with the name
jdoe. When the user types domain\jdoe they will log in to the domain.
Unless a local account exist with the name 'jdoe' the user won't be able to
connect locally to the computer. (by 'locally' I mean using the
'computername\username' login)

--
Costas


"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:329F9AA2-100E-4D79-B2ED-6C9D01D93733@xxxxxxxxxxxxxxxx
Thanks for discussing this situation with me. Is there a policy/script
(for
Vista) we could implement which would allow users to log into the account
on
the domain, but deny them access to the account on the computer?

"Costas" wrote:

Ask the users to log in using the domain prefix (e.g. DOMAIN\USERNAME).
After they do that, the next time they can use just USERNAME and they
will
be able to log in to the domain.

If you, as the administrator, try to log in to a computer using just the
account 'Administrator', the log in will default to the computer name,
instead of the SBS domain. That's because there are two accounts, one
on
the computer and one in the domain.

--
Costas


"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:885CC120-85C2-4AA2-9A2D-F6932A5847EB@xxxxxxxxxxxxxxxx
From what I can tell, the local computer is also a 'domain' sort of
speak.
Normally, when you initially install Vista (business edition), you give
the
computer a name. When you connect the computer to a corporate network,
the
company's domain comes into play. Now there are two 'domains,' the
computer's
name and the company domain.

What I'm finding is that when a user types in her username, without the
@domain, the computer's name appears below the username/password boxes.
Does
this not log the user into the local computer? This is what we're
trying
to
avoid. Basically, if the user does not log in, using the
'username@domainname' as her username, we want the user to be unable to
use
the computer.

"Costas" wrote:

No this isn't what I said. If a user type: "Administrator" Vista will
default to the local computer administrator account. For someone to
log
on
using the domain Administrator account, they will have to type:
"Domain\Administrator".

For any other domain account, the first type they have to type
'Domain\AccountName', and from that point on , every time they want to
log
on , they don't have to type the domain name. Just the 'Account Name'
will
be enough (If you look just below the text boxes where the account
name
and
password are typed, the name of the domain will already be listed
there

--
Costas


"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3A91A891-CCAE-4DD9-99F8-9BC3075E3EA8@xxxxxxxxxxxxxxxx
'Domain' = the name of the company network
'Local' = the computer itself.

There is an Administrator account in Domain and an Administrator
account
in
Local. Are you indicating that if the Local Administrator account is
renamed
something other than Administrator, no user will be able to log into
Local
by
simply entering their username (without Domainname) and password? In
fact,
since users are required to log into the Domain, using the
username@Domainname and password combination, if the user forgets to
include
the Domainname when signing on, that user should get a error/warning
that
the
user input is incorrect.

"Costas" wrote:

If there is a local user account with the same name as the domain
account,
the computer will pick up the local account. For example, if you
type
"Administrator", it will default to the local Administrator. But
if
you
type "Domain\user" the next time the user logs to the same
workstation
then
the username should be there waiting for the password.

If they want to type a different user name, then the domain name
should
be
below the input textboxes next to the label "Log on to:" so they
type
just
the user name.

--
Costas


"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3FE20FB0-968A-4DE2-A6FA-DD1539FF4F0D@xxxxxxxxxxxxxxxx
I'm going to plant this question here, since this thread seems to
touch
on
Group Policy login/off issues.

Vista (business ed) in a corporate domain. I'm trying to limit
user
access
to the local computer. Users have to enter 'domain\username' and
password
to
log into the network. I find that if a user enter his username
(without
the
domain\) and password, the user logs into the local computer, in
spite
of
the
fact that there is only the Adminstrator account setup on the
local
computer.
Is it possible to stop users, who do not have administrator level
access,
from logging into the local computer?




.

Relevant Pages

  • Re: Group Policy Lofon Script
    ... the next time they can use just USERNAME and they will be able to log in to the domain. ... If you, as the administrator, try to log in to a computer using just the account 'Administrator', the log in will default to the computer name, instead of the SBS domain. ... When you connect the computer to a corporate network, ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Policy Lofon Script
    ... admin account. ... 'administrator' account had to be setup, ... added as an administrator on LocalVista, and the jdoe account was deleted. ... with the username in the username@domainname syntax. ...
    (microsoft.public.windows.server.sbs)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... policy to rename the account although it is not really necessary or useful. ... Did I check Group Policies for references to the Administrator ... Failed to perform redirection of folder Desktop. ...
    (microsoft.public.windows.server.general)
  • Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... one referencing the original administrator account: ... specific policy setting that was flagged with a big, ... I used an incorrect procedure to rename the ...
    (microsoft.public.windows.server.general)
  • Re: SMTP Authentication problems - via outlook express/2003
    ... In this case, renaming the account shouldn't ... outlook express in same computer, ... Administrator account that cant send emails... ... What ever the username is has ...
    (microsoft.public.windows.server.sbs)