Re: Ability to logon after account has been disabled
From: Steven L Umbach (n9rouz_at_nscomcast.net)
Date: 11/16/03
- Next message: Mark: "nachi worm fixes from nt to 2000?"
- Previous message: Deb: "gray pop up messages"
- In reply to: Bob: "Ability to logon after account has been disabled"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 16 Nov 2003 19:00:12 GMT
I tend to doubt it was a fictitious password. What happens is by default W2K allows
"cached credentials" so that a user can log into their local machine when a domain
controller is unable to authenticate their account. The purpose is to allow users to
still use their local machine, but obviously people have found out how to abuse it.
There is a security option that can be configured at various levels such as local,
domain, or Organizational Unit to disable it. For instance in Local Security Policy
it would be in security settings/local policies/security options - number of previous
logons to cache. Set it to zero to not allow domain cached logons. That will not
stop a user from logging on to a local machine account if they have one - possibly
one you do not know about. --- Steve
"Bob" <anonymous@discussions.microsoft.com> wrote in message
news:073101c3ac67$d11a8150$a501280a@phx.gbl...
> I have an account locked out and the user was able to
> enter User name, unplug the network hub, enter a
> ficticious password, and then plug the power back into
> the hub and the PC logged on and reconnected to Domain
> resources like Internet Explorer, etc. How can I fix
> this??
- Next message: Mark: "nachi worm fixes from nt to 2000?"
- Previous message: Deb: "gray pop up messages"
- In reply to: Bob: "Ability to logon after account has been disabled"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
