RE: Domain logon without network connection + group policies

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 02/01/05

  • Next message: Howard, Ken: "RE: Preventing multiple logins in 2003"
    To: "'Ghetti, Tim'" <tghetti@air-worldwide.com>, "'Manuel Sousa'" <manuel.sousa@gmail.com>, <focus-ms@securityfocus.com>
    Date: Mon, 31 Jan 2005 19:05:29 -0500
    
    

    inline, as well...

    > -----Original Message-----
    > From: Ghetti, Tim [mailto:tghetti@air-worldwide.com]
    > Sent: Monday, January 31, 2005 6:06 PM
    > To: larobins@bellatlantic.net; Manuel Sousa;
    > focus-ms@securityfocus.com
    > Subject: RE: Domain logon without network connection + group policies
    >
    > comments inline...
    >
    > > -----Original Message-----
    > > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    > > Sent: Saturday, January 29, 2005 2:24 PM
    > > To: Ghetti, Tim; 'Manuel Sousa'; focus-ms@securityfocus.com
    > > Subject: RE: Domain logon without network connection +
    > group policies
    > >
    > >
    > > > Through group policy, you can forbid logon without DC
    > > authentication.
    > >
    > > Actually, the setting to which I believe you refer is for
    > > *unlocking* machines, not logging into them in the first place.
    >
    > Actually, this is the setting I'm talking about.
    > (Computer Configuration\Windows Settings\Security
    > Settings\Local Policies\Security Options\Number of previous
    > logons to cache)

    Um, you specified a setting to disallow logon without DC authentication; it
    was that to which I replied. I am familiar with the caching setting, but
    that isn't what I was talking about. That is why I put it the setting to
    which you *were* referring right there in the next paragraph. :-)
    >
    > > (Computer Configuration\Windows Settings\Security Settings\Local
    > > Policies\Security Options\Interactive logon:
    > > Require Domain Controller authentication to unlock workstation)
    > >
    > > Additionally, one can be authenticated by a DC without pulling down
    > > policies. Tricky timing, but authentication and group policy
    > > processing are separate processes
    >
    > This is true, but if you set the following, in addition,
    > windows waits for all GP's before even giving the user the
    > option to log in.

    Yes, but that's not the setting to which you referred.

    > (Computer Configuration\Administrative
    > Templates\System\logon\Always wait for the network at
    > computer startup and logon) Not to mention, I belienve 200
    > pro, processes all gp's before logon

    That is a modifiable setting in both user and computer configuration in
    Win2K, actually. It's just the default behavior that changed from Win2K to
    XP.
    >
    > > > Under Security in GP "Number of previous logons to cache"
    > > > Change this to 0.
    > >
    > > See above.

    I didn't dispute this. See above.

    Laura

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Howard, Ken: "RE: Preventing multiple logins in 2003"

    Relevant Pages

    • Re: Kerberos machine authentication - apparent authentication fail
      ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
      (microsoft.public.windows.server.security)
    • Re: Kerberos machine authentication - apparent authentication fail
      ... as the case may be) which will delay authentication until ... I also have an Intel network adapter and WAP that does not have this> problem and even works well with 802.1X EAP-TLS for domain logon. ... In> most cases [ipsec a possible exception] kerberos authentication is not> needed to access domain resources as long as the client and server use a> common authentication method for lm/ntlm/ntlmv2. ... The main issue is to> NEVER include an ISP dns server in the preferred server list in the tcp/ip> properties or DHCP scope of any domain computer or any computer you want to> join to the domain in which case your computers may be trying to locate the> domain _srv records on the ISP dns server and fail. ...
      (microsoft.public.windows.server.security)
    • Re: Logon 529 Errors
      ... Authentication in SMTP virtual server. ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
      (microsoft.public.windows.server.sbs)
    • Re: Active Directory Logon to attribute
      ... have permission to access as you are denied to logon from this workstation... ... If accounts and machines are from abc.com they can logon to abc.com only. ... named xyz.org for the user authentication for internet. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Kerberos machine authentication - apparent authentication fail
      ... until a user logon event. ... the Netdiag utility will show the Kerberos error in this scenario ... On these machines I ... me a plausible starting point to solve my Kerberos authentication problem. ...
      (microsoft.public.windows.server.security)