Re: Group Policy Lofon Script
- From: RoninV <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 14 Dec 2007 04:16:00 -0800
Duh, that's a good point. ComputerConnect was used, but I'll have to check
for Domain Users, since having them as part of the local group would allow
domain users local computer access by logging in without including
"@domainname" as part of their username. Thanks for your assistance.
RoninV
"Costas" wrote:
You made me doubt myself :-) I logged off my personal computer (Vista.
Ultimate) and I tried to log in as costas@xxxxxxxxxxxxx I did successfully.
I tried to mistype the id intentionally, and I couldn't get in at all. Then
I switch to a different id, and didn't type the domain e.g joedoe
I looked at the bottom of the screen the the domain name remained there, the
computer name didn't replace the domain name. Is it possible that somewhere
in the local groups, you have 'Domain Users' listed? I assume you jointed
the computers to the domain using ConnectComputer, right?
I can do some further testing off-hours on a couple of different networks,
but the only time I have seen that is with the Administrator account, which
if you don't qualify with the domain name it is defaulting to the local
admin account. Unless of course there are local users with the same ids.
--
Costas
"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:710B837B-D718-4A5F-8DC4-DAEF931B10A5@xxxxxxxxxxxxxxxx
If that is the case, these Vista (business edition) machines may have been
setup incorrectly. As I indicated earlier, the machines are connected to a
corporate LAN, so during initial setup, a network cable was connected.
During
setup, each computer was given a name (eg. LocalVista), and an
'administrator' account (jdoe) had to be setup, based on the initial
configuration screens. After setup was complete, the 'secret'
administrator
account (ala XP) was enabled, the LAN's administrator account (Snoop) was
added as an administrator on LocalVista, and the jdoe account was deleted.
This should have left us with Snoop as the only account on LocalVista. To
login to the corporate domain, users have to input their
username/password,
with the username in the username@domainname syntax. When users use the
correct username syntax, the name of the corporate domain appears under
the
username/password fields. What we're finding is that when users forget to
use
this syntax, and enter their username WITHOUT the '@domainname',
LocalVista
appears below the username/password fields and the user is logged in. Mind
you that if Snoop (corporate and LocalVista administrator) logs into
LocalVista, that account is the only one listed under User accounts.
"Costas" wrote:
If the user doesn't have a local account, they won't be able to log in
locally to the computer. Let's say you have a user account with the name
jdoe. When the user types domain\jdoe they will log in to the domain.
Unless a local account exist with the name 'jdoe' the user won't be able
to
connect locally to the computer. (by 'locally' I mean using the
'computername\username' login)
--
Costas
"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:329F9AA2-100E-4D79-B2ED-6C9D01D93733@xxxxxxxxxxxxxxxx
Thanks for discussing this situation with me. Is there a policy/script
(for
Vista) we could implement which would allow users to log into the
account
on
the domain, but deny them access to the account on the computer?
"Costas" wrote:
Ask the users to log in using the domain prefix (e.g.
DOMAIN\USERNAME).
After they do that, the next time they can use just USERNAME and they
will
be able to log in to the domain.
If you, as the administrator, try to log in to a computer using just
the
account 'Administrator', the log in will default to the computer name,
instead of the SBS domain. That's because there are two accounts,
one
on
the computer and one in the domain.
--
Costas
"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:885CC120-85C2-4AA2-9A2D-F6932A5847EB@xxxxxxxxxxxxxxxx
From what I can tell, the local computer is also a 'domain' sort of
speak.
Normally, when you initially install Vista (business edition), you
give
the
computer a name. When you connect the computer to a corporate
network,
the
company's domain comes into play. Now there are two 'domains,' the
computer's
name and the company domain.
What I'm finding is that when a user types in her username, without
the
@domain, the computer's name appears below the username/password
boxes.
Does
this not log the user into the local computer? This is what we're
trying
to
avoid. Basically, if the user does not log in, using the
'username@domainname' as her username, we want the user to be unable
to
use
the computer.
"Costas" wrote:
No this isn't what I said. If a user type: "Administrator" Vista
will
default to the local computer administrator account. For someone
to
log
on
using the domain Administrator account, they will have to type:
"Domain\Administrator".
For any other domain account, the first type they have to type
'Domain\AccountName', and from that point on , every time they want
to
log
on , they don't have to type the domain name. Just the 'Account
Name'
will
be enough (If you look just below the text boxes where the account
name
and
password are typed, the name of the domain will already be listed
there
--
Costas
"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3A91A891-CCAE-4DD9-99F8-9BC3075E3EA8@xxxxxxxxxxxxxxxx
'Domain' = the name of the company network
'Local' = the computer itself.
There is an Administrator account in Domain and an Administrator
account
in
Local. Are you indicating that if the Local Administrator account
is
renamed
something other than Administrator, no user will be able to log
into
Local
by
simply entering their username (without Domainname) and password?
In
fact,
since users are required to log into the Domain, using the
username@Domainname and password combination, if the user forgets
to
include
the Domainname when signing on, that user should get a
error/warning
that
the
user input is incorrect.
"Costas" wrote:
If there is a local user account with the same name as the
domain
account,
the computer will pick up the local account. For example, if
you
type
"Administrator", it will default to the local Administrator.
But
if
you
type "Domain\user" the next time the user logs to the same
workstation
then
the username should be there waiting for the password.
If they want to type a different user name, then the domain name
should
be
below the input textboxes next to the label "Log on to:" so they
type
just
the user name.
--
Costas
"RoninV" <RoninV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3FE20FB0-968A-4DE2-A6FA-DD1539FF4F0D@xxxxxxxxxxxxxxxx
I'm going to plant this question here, since this thread seems
to
touch
on
Group Policy login/off issues.
Vista (business ed) in a corporate domain. I'm trying to limit
user
access
to the local computer. Users have to enter 'domain\username'
and
password
to
log into the network. I find that if a user enter his username
(without
the
domain\) and password, the user logs into the local computer,
in
spite
of
the
fact that there is only the Adminstrator account setup on the
local
computer.
Is it possible to stop users, who do not have administrator
level
access,
from logging into the local computer?
- References:
- Re: Group Policy Lofon Script
- From: SBS Rocker
- Re: Group Policy Lofon Script
- From: Costas
- Re: Group Policy Lofon Script
- From: Costas
- Re: Group Policy Lofon Script
- From: RoninV
- Re: Group Policy Lofon Script
- From: Costas
- Re: Group Policy Lofon Script
- From: RoninV
- Re: Group Policy Lofon Script
- From: Costas
- Re: Group Policy Lofon Script
- From: RoninV
- Re: Group Policy Lofon Script
- From: Costas
- Re: Group Policy Lofon Script
- Prev by Date: Re: Keeping the date of mails downloaded by POP3 connector
- Next by Date: Re: Joining virtual PC to a domain
- Previous by thread: Re: Group Policy Lofon Script
- Next by thread: Re: Group Policy Lofon Script
- Index(es):
Relevant Pages
|
