RE: [fw-wiz] Stanford break in

• Previous message: Victor Williams: "RE: [fw-wiz] Stanford break in"
• Maybe in reply to: Chuck Vose: "[fw-wiz] Stanford break in"
• Next in thread: Darren Reed: "Re: [fw-wiz] Stanford break in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: paul@compuwar.net, vosechu@roman-fleuve.com
Date: Thu, 22 Apr 2004 09:20:27 -0500

All,
In Windows administration, single-workstation authentication is possible, as
it is an attribute of the user account. This could possibly be scripted
with VB script, but there is a gotcha. In a Domain-type environment (NT4
Domains, NT5.x Active Directory), there has to be some sort of computer
naming schema, for the WMI interface to look for. In some enterprises, the
naming is done based on the user name, and this would enable the scripting
to work most of the time. But if the computer naming is done based on
computer site/floor/department location or perhaps computer serial number,
the mapping of user ID to computer ID becomes considerably more difficult.
I know it possible in Novell NDS, but here again, the actual implementation
contributes its own complexities.

Add to this the Layer [8] political realities of (a) users sometimes just
start using different machines, and it seems IT admins are the last to find
out, (b) in any central office-branch office organization, there seem to
proliferate any number of 'smart users' that want to login to other machines
to help their users, and (c) the usual under-staffedness of IT departments
within any given organization, there never seems to be enough time to
administer this kind of thing - automatically or manually - when the admins
are busy recovering borked servers, adding new user groups for workgroup
access to files, yada yada. You can see that this, while a good idea,
becomes so terribly manual as to be mostly unworkable.

IMHO.

Cheers,
Rick Bertolett
Austin Water Utility

>> Authenticate with the server, but only allow access to one workstation.
>> I've never had to do this on a large scale, is it as time consuming as
>> it seems that it might be or are there tools that make this easier?

>I'm not sure about the degree of administrative difficulty, hopefully
>someone with Windows admin experience can answer that.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Victor Williams: "RE: [fw-wiz] Stanford break in"
• Maybe in reply to: Chuck Vose: "[fw-wiz] Stanford break in"
• Next in thread: Darren Reed: "Re: [fw-wiz] Stanford break in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: need to modify local group membership via VBscript ... The script I posted was orginally used to add another domain group ... It only worked if Domain Admins was ... can add domain groups to the local Administrators group. ... how to add a domain group to local administrators account: ... (microsoft.public.windows.server.scripting) Re: need to modify local group membership via VBscript ... A logon script runs with the credentials of the user, ... ' Bind to local Administrators group on remote computer. ... Wscript.Echo "Domain Admins already in Administrators on " & strComputer ... (microsoft.public.windows.server.scripting) Re: need to modify local group membership via VBscript ... It only worked if Domain Admins ... script can add domain groups to the local Administrators group. ... version intended to run as a Startup script, configured in Group Policy: ... (microsoft.public.windows.server.scripting) Re: NETLOGON Share ... When a user logs on, ... How many admins do you need to modify a script? ... they shouldn't be able to modify each others policies, scripts, etc. ... (microsoft.public.windows.server.active_directory) Re: NETLOGON Share ... The best place to put it is in the sysvol within the policy that is calling ... When a user logs on, ... If you are having trouble with admins modifying scripts then they need to be ... How many admins do you need to modify a script? ... (microsoft.public.windows.server.active_directory)