RE: Domain logon without network connection + group policies

• Previous message: Oliver Schneider: "RE: Preventing multiple logins in 2003"
• In reply to: Ghetti, Tim: "RE: Domain logon without network connection + group policies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Ghetti, Tim'" <tghetti@air-worldwide.com>, "'Manuel Sousa'" <manuel.sousa@gmail.com>, <focus-ms@securityfocus.com>
Date: Sat, 29 Jan 2005 14:23:46 -0500

> Through group policy, you can forbid logon without DC authentication.

Actually, the setting to which I believe you refer is for *unlocking*
machines, not logging into them in the first place.

(Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\Interactive logon: Require Domain Controller
authentication to unlock workstation)

Additionally, one can be authenticated by a DC without pulling down
policies. Tricky timing, but authentication and group policy processing are
separate processes

> Under Security in GP "Number of previous logons to cache"
> Change this to 0.

See above.
>
> *****word of warning though,
> if you have any laptop users, you will run into a rather big problem.
> They will not be able to use their system off the network.
> Another option if forcing a group policy refresh. The normal
> operation is that every 90-120 minutes GP refreshes, but only
> if the version number has changed (you've made a policy
> change). You can force GP to refresh every X minutes
> regardless. Under GP go to --- Computer Configuration -->
> Administrative Templates --> System --> Group Policy, and
> configure it there.

As the OP mentioned, this won't work if they've never gotten the policy in
the first place.

Laura

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Oliver Schneider: "RE: Preventing multiple logins in 2003"
• In reply to: Ghetti, Tim: "RE: Domain logon without network connection + group policies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Group Policy is refreshing, but not working ... That policies are processed correctly make sure that on all domain machines only domain internal DNS servers are used, no ip addresses from external DNS servers like your ISP's. ... group is manually removed from a client's local administrators group, ... I checked the group policy refresh interval and it's set for 30 ... (microsoft.public.windows.group_policy) RE: Default applying time for new GPOs ... To change the policy refresh interval setting, ... Controllers Group Policy object, which is linked to the Domain Controllers ... gpudate.exe using syntax gpupdate /force you can force reapplying all gpo ... (microsoft.public.windows.group_policy) Re: Default applying time for new GPOs ... > Controllers Group Policy object, which is linked to the Domain Controllers ... The Group Policy Refresh Interval for Computers ... > gpudate.exe using syntax gpupdate /force you can force reapplying all gpo ... (microsoft.public.windows.group_policy) Re: Group policy not processing properly ... I have a very large Windows 2003 /XP network spread accross the country. ... remote locations travel accross the links for authentication and other ... of these remote sites (works for about 80% of the sites but not the rest ... Some of Group Policy is depending on not finding a "Slow WAN link" ... (microsoft.public.windows.server.active_directory) Re: Can a GPO apply after a cached login? ... "Aidan" wrote: ... RefreshPolicyEX: ... Group policy infrastructure failed due to the error listed below. ... When running with a cached login the RSOP fails. ... (microsoft.public.windows.group_policy)