Re: Cached Credentials

From: Michael [MS] (a-miche@microsoft.com)
Date: 06/20/02

Next message: Phil M: "Re: Way to List users from command line in AD"
Previous message: Jeff Parent: "noaccess.rat"
In reply to: Bruce Cheney: "Cached Credentials"
Next in thread: Joshua Heslinga: "Re: Cached Credentials"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Michael [MS]" <a-miche@microsoft.com>
Date: Thu, 20 Jun 2002 12:46:33 -0700

W2k in a domain will used cached logon credentials if a DC is not available,
but will use the local security policy. It cant get a GPO and wont use a
cached version. One thing you might do in the Local policy is disable the
cached logon option so if there is no DC to authenticate, a user cannot
logon with the domain user logon. So unless they have a local logon (which
can still be restricted) they cant access anything on the machine.

--
Michael Eisenhart
Microsoft Support Professional
Get Secure!! www.microsoft.com/security
"Bruce Cheney" <cheney_bruce@hotmail.com> wrote in message
news:10e8f01c21870$7ef9d060$3bef2ecf@TKMSFTNGXA10...
> If I have a GPO in place for my domain that secures
> client workstations, what happens when a client machine
> boots with the network cable unplugged. My concern is
> that an insider attack could happen if somebody unplugged
> the NIC, booted the machine, and now have no domain based
> security policy. To prevent this do I need to put a local
> policy on each machine, so that in the event of this
> scenario, the local policy would take effect (not be
> overridden by site,domain,or ou GPOs). My concerns are in
> auditing and running a backup. If auditing is on in the
> domain, but the computer doesn't authenticate o the
> domain because the DC is not available, how will I know
> if sensitive data is being accessed or someone is
> attempting to access it. Thanks.

Next message: Phil M: "Re: Way to List users from command line in AD"
Previous message: Jeff Parent: "noaccess.rat"
In reply to: Bruce Cheney: "Cached Credentials"
Next in thread: Joshua Heslinga: "Re: Cached Credentials"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Logon Failure: user is restricted
... GPO at the domain level and then have a different policy on your Default DC ... This is the right required to be able to logon to the console of a> desktop. ... GPOs are> powerful things that can screw up your entire network, so they qualify> more than most infrastructure changes as requiring good change management> processes. ...
(microsoft.public.windows.group_policy)
Re: Logon script not working
... I edited the Default Domain Policy ... If I click on Show Files in that window, ... From the looks of it, other than the Acronis Remote GPO, which I assume ... So far we know the legacy method (Netlogon folder and specifying the logon ...
(microsoft.public.windows.server.sbs)
Re: cannot logon locally
... For a machine in a domain use a GPO that will apply ... >>equivalent) and then set a deny of full control for the ... >>local policy to remove the obstructing setting. ... >>> not let me logon locally. ...
(microsoft.public.windows.group_policy)
Re: Issue after establishing a 2-way trust between 2 forests
... In default domain policy ... Yes the problem is at their end, they logon locally and "log on to" ... I did check this GPO but they are not defined (both Default domain ... They can logon Terminal Server using RDC, ...
(microsoft.public.windows.server.general)
RE: GPO settings are not applied
... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: Automatic_Updates ... GPO: Default Domain Policy ... Secure Proxy Server: N/A ...
(microsoft.public.windows.server.active_directory)