RE: Domain logon without network connection + group policies
From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 02/01/05
- Previous message: Ghetti, Tim: "RE: Domain logon without network connection + group policies"
- In reply to: Ghetti, Tim: "RE: Domain logon without network connection + group policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Ghetti, Tim'" <tghetti@air-worldwide.com>, "'Manuel Sousa'" <manuel.sousa@gmail.com>, <focus-ms@securityfocus.com> Date: Mon, 31 Jan 2005 19:05:29 -0500
inline, as well...
> -----Original Message-----
> From: Ghetti, Tim [mailto:tghetti@air-worldwide.com]
> Sent: Monday, January 31, 2005 6:06 PM
> To: larobins@bellatlantic.net; Manuel Sousa;
> focus-ms@securityfocus.com
> Subject: RE: Domain logon without network connection + group policies
>
> comments inline...
>
> > -----Original Message-----
> > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> > Sent: Saturday, January 29, 2005 2:24 PM
> > To: Ghetti, Tim; 'Manuel Sousa'; focus-ms@securityfocus.com
> > Subject: RE: Domain logon without network connection +
> group policies
> >
> >
> > > Through group policy, you can forbid logon without DC
> > authentication.
> >
> > Actually, the setting to which I believe you refer is for
> > *unlocking* machines, not logging into them in the first place.
>
> Actually, this is the setting I'm talking about.
> (Computer Configuration\Windows Settings\Security
> Settings\Local Policies\Security Options\Number of previous
> logons to cache)
Um, you specified a setting to disallow logon without DC authentication; it
was that to which I replied. I am familiar with the caching setting, but
that isn't what I was talking about. That is why I put it the setting to
which you *were* referring right there in the next paragraph. :-)
>
> > (Computer Configuration\Windows Settings\Security Settings\Local
> > Policies\Security Options\Interactive logon:
> > Require Domain Controller authentication to unlock workstation)
> >
> > Additionally, one can be authenticated by a DC without pulling down
> > policies. Tricky timing, but authentication and group policy
> > processing are separate processes
>
> This is true, but if you set the following, in addition,
> windows waits for all GP's before even giving the user the
> option to log in.
Yes, but that's not the setting to which you referred.
> (Computer Configuration\Administrative
> Templates\System\logon\Always wait for the network at
> computer startup and logon) Not to mention, I belienve 200
> pro, processes all gp's before logon
That is a modifiable setting in both user and computer configuration in
Win2K, actually. It's just the default behavior that changed from Win2K to
XP.
>
> > > Under Security in GP "Number of previous logons to cache"
> > > Change this to 0.
> >
> > See above.
I didn't dispute this. See above.
Laura
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Ghetti, Tim: "RE: Domain logon without network connection + group policies"
- In reply to: Ghetti, Tim: "RE: Domain logon without network connection + group policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
