Re: How to force a user to logon to the domain ?

From: Robert Moir (bofh_at_mvps.org)
Date: 10/02/03 

Date: Thu, 2 Oct 2003 20:20:57 +0100

Branislav wrote:
> Hello,
> We would like to force users to logon to the domain so all the
> scripts and patches could be applied.
>
> The situation is this: there are no local accounts on workstations,
> users have only a domain account. It is an NT4 domain, on
> workstations we have Win2000Pro and WinXP. Now, my boss wants every
> user to be a local administrator on his/her computer so we put their
> domain account to be a member of the local Administrators group. This
> gives them possibility to logon locally on their computers.

Well you have to realise that when you make someone a local administrator
they can do what they like on the local machine. Thats what "local
administrator" means. Your first stop should be to go to your boss and
explain that you've got a problem here as you've been asked to perform two
tasks that won't sit comfortably with each other. You can setup various
things to stop them getting a foot through the door but a determined person
with local administrator access *will* beat them all in the end.

My vote is for greating a modified GINA without the option to select the
login context (e.g. the drop down menu that has your domain and computer
names in it). Removing this option will stop damn near most people i should
think. 

-- 
-- 
Rob
Microsoft MVP
Windows Servers and Security
http://www.robertmoir.co.uk

Relevant Pages

  • Re: system cannot log you on now because the domain PCname123 is not available
    ... Are you logging on as the local Administrator - are you sure you're not ... using a domain account to try to login locally. ... Log onto the Domain and check the local Users & Groups - check the local ... And all I want to do it's logon to local box NOT the ...
    (microsoft.public.windows.server.active_directory)
  • Re: The local policy of this system does not permit you to logon interactively
    ... system does not permit you to logon interactively". ... administrator, domain user, local administrator, local user, or other type? ... How to reset security settings back to the defaults ... Remote desktop connection "The local policy of this system does not permit ...
    (microsoft.public.windows.server.sbs)
  • Re: The local policy of this system does not permit you to logon interactively
    ... system does not permit you to logon interactively". ... administrator, domain user, local administrator, local user, or other type? ... How to reset security settings back to the defaults ... Remote desktop connection "The local policy of this system does not permit ...
    (microsoft.public.windows.server.sbs)
  • Re: The local policy of this system does not permit you to logon interactively
    ... system does not permit you to logon interactively". ... administrator, domain user, local administrator, local user, or other type? ... How to reset security settings back to the defaults ... Remote desktop connection "The local policy of this system does not permit ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant Modify Local Security Setting - Windows XP SP 2
    ... If you logon to your computer as a local administrator you will not be ... account will no longer allow your to logon to your computer once removed ... > problem because the system will not refresh the domain policies. ...
    (microsoft.public.windowsxp.security_admin)