Re: Group Policy Lofon Script
- From: "Costas" <cpstechgroup@xxxxxxxxx>
- Date: Thu, 13 Dec 2007 14:02:30 -0500
You made me doubt myself :-) I logged off my personal computer (Vista Ultimate) and I tried to log in as costas@xxxxxxxxxxxxx I did successfully. I tried to mistype the id intentionally, and I couldn't get in at all. Then I switch to a different id, and didn't type the domain e.g joedoe
I looked at the bottom of the screen the the domain name remained there, the computer name didn't replace the domain name. Is it possible that somewhere in the local groups, you have 'Domain Users' listed? I assume you jointed the computers to the domain using ConnectComputer, right?
I can do some further testing off-hours on a couple of different networks, but the only time I have seen that is with the Administrator account, which if you don't qualify with the domain name it is defaulting to the local admin account. Unless of course there are local users with the same ids.
--
Costas
"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:710B837B-D718-4A5F-8DC4-DAEF931B10A5@xxxxxxxxxxxxxxxx
If that is the case, these Vista (business edition) machines may have been
setup incorrectly. As I indicated earlier, the machines are connected to a
corporate LAN, so during initial setup, a network cable was connected. During
setup, each computer was given a name (eg. LocalVista), and an
'administrator' account (jdoe) had to be setup, based on the initial
configuration screens. After setup was complete, the 'secret' administrator
account (ala XP) was enabled, the LAN's administrator account (Snoop) was
added as an administrator on LocalVista, and the jdoe account was deleted.
This should have left us with Snoop as the only account on LocalVista. To
login to the corporate domain, users have to input their username/password,
with the username in the username@domainname syntax. When users use the
correct username syntax, the name of the corporate domain appears under the
username/password fields. What we're finding is that when users forget to use
this syntax, and enter their username WITHOUT the '@domainname', LocalVista
appears below the username/password fields and the user is logged in. Mind
you that if Snoop (corporate and LocalVista administrator) logs into
LocalVista, that account is the only one listed under User accounts.
"Costas" wrote:
If the user doesn't have a local account, they won't be able to log in
locally to the computer. Let's say you have a user account with the name
jdoe. When the user types domain\jdoe they will log in to the domain.
Unless a local account exist with the name 'jdoe' the user won't be able to
connect locally to the computer. (by 'locally' I mean using the
'computername\username' login)
--
Costas
"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:329F9AA2-100E-4D79-B2ED-6C9D01D93733@xxxxxxxxxxxxxxxx
> Thanks for discussing this situation with me. Is there a policy/script
> (for
> Vista) we could implement which would allow users to log into the > account
> on
> the domain, but deny them access to the account on the computer?
>
> "Costas" wrote:
>
>> Ask the users to log in using the domain prefix (e.g. >> DOMAIN\USERNAME).
>> After they do that, the next time they can use just USERNAME and they
>> will
>> be able to log in to the domain.
>>
>> If you, as the administrator, try to log in to a computer using just >> the
>> account 'Administrator', the log in will default to the computer name,
>> instead of the SBS domain. That's because there are two accounts, >> one
>> on
>> the computer and one in the domain.
>>
>> -- >> Costas
>>
>>
>> "RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:885CC120-85C2-4AA2-9A2D-F6932A5847EB@xxxxxxxxxxxxxxxx
>> > From what I can tell, the local computer is also a 'domain' sort of
>> > speak.
>> > Normally, when you initially install Vista (business edition), you >> > give
>> > the
>> > computer a name. When you connect the computer to a corporate >> > network,
>> > the
>> > company's domain comes into play. Now there are two 'domains,' the
>> > computer's
>> > name and the company domain.
>> >
>> > What I'm finding is that when a user types in her username, without >> > the
>> > @domain, the computer's name appears below the username/password >> > boxes.
>> > Does
>> > this not log the user into the local computer? This is what we're
>> > trying
>> > to
>> > avoid. Basically, if the user does not log in, using the
>> > 'username@domainname' as her username, we want the user to be unable >> > to
>> > use
>> > the computer.
>> >
>> > "Costas" wrote:
>> >
>> >> No this isn't what I said. If a user type: "Administrator" Vista >> >> will
>> >> default to the local computer administrator account. For someone >> >> to
>> >> log
>> >> on
>> >> using the domain Administrator account, they will have to type:
>> >> "Domain\Administrator".
>> >>
>> >> For any other domain account, the first type they have to type
>> >> 'Domain\AccountName', and from that point on , every time they want >> >> to
>> >> log
>> >> on , they don't have to type the domain name. Just the 'Account >> >> Name'
>> >> will
>> >> be enough (If you look just below the text boxes where the account
>> >> name
>> >> and
>> >> password are typed, the name of the domain will already be listed
>> >> there
>> >>
>> >> -- >> >> Costas
>> >>
>> >>
>> >> "RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:3A91A891-CCAE-4DD9-99F8-9BC3075E3EA8@xxxxxxxxxxxxxxxx
>> >> > 'Domain' = the name of the company network
>> >> > 'Local' = the computer itself.
>> >> >
>> >> > There is an Administrator account in Domain and an Administrator
>> >> > account
>> >> > in
>> >> > Local. Are you indicating that if the Local Administrator account >> >> > is
>> >> > renamed
>> >> > something other than Administrator, no user will be able to log >> >> > into
>> >> > Local
>> >> > by
>> >> > simply entering their username (without Domainname) and password? >> >> > In
>> >> > fact,
>> >> > since users are required to log into the Domain, using the
>> >> > username@Domainname and password combination, if the user forgets >> >> > to
>> >> > include
>> >> > the Domainname when signing on, that user should get a >> >> > error/warning
>> >> > that
>> >> > the
>> >> > user input is incorrect.
>> >> >
>> >> > "Costas" wrote:
>> >> >
>> >> >> If there is a local user account with the same name as the >> >> >> domain
>> >> >> account,
>> >> >> the computer will pick up the local account. For example, if >> >> >> you
>> >> >> type
>> >> >> "Administrator", it will default to the local Administrator. >> >> >> But
>> >> >> if
>> >> >> you
>> >> >> type "Domain\user" the next time the user logs to the same
>> >> >> workstation
>> >> >> then
>> >> >> the username should be there waiting for the password.
>> >> >>
>> >> >> If they want to type a different user name, then the domain name
>> >> >> should
>> >> >> be
>> >> >> below the input textboxes next to the label "Log on to:" so they
>> >> >> type
>> >> >> just
>> >> >> the user name.
>> >> >>
>> >> >> -- >> >> >> Costas
>> >> >>
>> >> >>
>> >> >> "RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:3FE20FB0-968A-4DE2-A6FA-DD1539FF4F0D@xxxxxxxxxxxxxxxx
>> >> >> > I'm going to plant this question here, since this thread seems >> >> >> > to
>> >> >> > touch
>> >> >> > on
>> >> >> > Group Policy login/off issues.
>> >> >> >
>> >> >> > Vista (business ed) in a corporate domain. I'm trying to limit
>> >> >> > user
>> >> >> > access
>> >> >> > to the local computer. Users have to enter 'domain\username' >> >> >> > and
>> >> >> > password
>> >> >> > to
>> >> >> > log into the network. I find that if a user enter his username
>> >> >> > (without
>> >> >> > the
>> >> >> > domain\) and password, the user logs into the local computer, >> >> >> > in
>> >> >> > spite
>> >> >> > of
>> >> >> > the
>> >> >> > fact that there is only the Adminstrator account setup on the
>> >> >> > local
>> >> >> > computer.
>> >> >> > Is it possible to stop users, who do not have administrator >> >> >> > level
>> >> >> > access,
>> >> >> > from logging into the local computer?
>> >> >>
>> >>
>>
.
- Follow-Ups:
- Re: Group Policy Lofon Script
- From: RoninV
- Re: Group Policy Lofon Script
- References:
- Re: Group Policy Lofon Script
- From: SBS Rocker
- Re: Group Policy Lofon Script
- From: Costas
- Re: Group Policy Lofon Script
- From: Costas
- Re: Group Policy Lofon Script
- From: RoninV
- Re: Group Policy Lofon Script
- From: Costas
- Re: Group Policy Lofon Script
- From: RoninV
- Re: Group Policy Lofon Script
- From: Costas
- Re: Group Policy Lofon Script
- From: RoninV
- Re: Group Policy Lofon Script
- Prev by Date: Re: Full screen resolution not working with certain Dell laptops
- Next by Date: SBS 2003 Migration to SBS 2003 (new hardware)
- Previous by thread: Re: Group Policy Lofon Script
- Next by thread: Re: Group Policy Lofon Script
- Index(es):
Relevant Pages
|
