RE: Domain logon without network connection + group policies

From: Ghetti, Tim (tghetti_at_air-worldwide.com)
Date: 01/28/05

  • Next message: Seyberth, Allan CIV BDQT: "RE: Users "bypassing" Group Policy restrictions" 
    Date: Thu, 27 Jan 2005 18:17:22 -0500
To: "Manuel Sousa" <manuel.sousa@gmail.com>, <focus-ms@securityfocus.com>

    Through group policy, you can forbid logon without DC authentication.
    Under Security in GP "Number of previous logons to cache" Change this to
    0.

    *****word of warning though,
    if you have any laptop users, you will run into a rather big problem.
    They will not be able to use their system off the network.
    Another option if forcing a group policy refresh. The normal operation
    is that every 90-120 minutes GP refreshes, but only if the version
    number has changed (you've made a policy change). You can force GP to
    refresh every X minutes regardless. Under GP go to --- Computer
    Configuration --> Administrative Templates --> System --> Group Policy,
    and configure it there.

    Good Luck!

    -----Original Message-----
    From: Manuel Sousa [mailto:manuel.sousa@gmail.com]
    Sent: Thursday, January 27, 2005 7:58 AM
    To: focus-ms@securityfocus.com
    Subject: Domain logon without network connection + group policies

    Hi,

    I've realized that it's possible to logon to a domain without a network
    connection and bypass the group policies.

    This provides false security when deploying policies that restrict user
    permissions, so my question is:
    1. Is it possible to forbid logon if the workstation can't connect to
    the Domain Controller; 2. Or is it possible to have a cache of the group
    policies so that if the workstation doesn't have network, it uses the
    last policies?

    One workaround is deploying the policies as local ones, but that removes
    the flexibility of deploying / changing the policies from the domain, so
    i'm open for other suggestions.

    Thanks in advance,
    Manuel Sousa

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Seyberth, Allan CIV BDQT: "RE: Users "bypassing" Group Policy restrictions"

    Relevant Pages

    • Re: Mapped F Drive - group policy update problem
      ... where is the fast optimization group policy that you ... Always wait for the network at computer startup and logon ... Determines whether Windows XP waits for the network during computer startup ...
      (microsoft.public.windows.server.active_directory)
    • Re: Problem using folder redirection and TweakUI automatic logon
      ... my understanding on this issue is: the Windows logon ... the network to be fully initialized during startup and the logon process. ... logon] group policy to disable fast logon feature to test: ...
      (microsoft.public.windows.server.sbs)
    • Re: Change local cached domain user password
      ... Always wait for the network at computer startup and logon ... Determines whether Windows XP waits for the network during computer startup ... Group Policy is applied in the ...
      (microsoft.public.windows.server.active_directory)
    • Re: GPO software deployment and one stuborn XP system
      ... I would write a logon script to upload a file to the server your workstation ... See if it can place the file on that server. ... > network clients. ... > Group Policy was applied from: ...
      (microsoft.public.win2000.group_policy)
    • Re: Group Policy refresh question
      ... > mechanics of Group Policy refresh. ... > I understand Group Policy refreshes at a preset interval. ... Always wait for the network at computer startup and logon (admin ... Determines whether Windows XP waits for the network during computer ...
      (microsoft.public.win2000.active_directory)