| Author | Messages | |
lagreca
Posts:0
 | | 05/15/2006 3:58 AM |
| | Message body was not found. | | | |
| AD00000893
Posts:0
| | 05/15/2006 4:10 AM |
| Don't create local accounts.
-Z.V.
Joe Lagreca wrote:
Is there a way to force users to logon to domain, or to disable loging
into local computer accounts via GPO?
Thanks.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sergio.olivarez@xxxx.yyy
| | 05/15/2006 4:13 AM |
| In a GPO set the
cached logon setting to 0 and make sure allow logon
locally is only set to Admins.
-Sergio
From: Joe Lagreca
[mailto:lagreca@xxxxxxxxx]
Sent: Monday, May 15, 2006 8:57 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Is there a
way to force users to logon to domain?
Is there a way to force users to logon to domain, or to disable loging
into local computer accounts via GPO?
Thanks. | | | |
| robertrutherford5
Posts:0
| | 05/15/2006 4:18 AM |
| Be restrictive on the use of local
accounts and don™t give them passwords is the cleanest way.
Robert
Rutherford
QuoStar
Solutions Limited
The Enterprise
Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:
+44 (0) 8456 440
331
F:
+44 (0) 8456 440
332
M:
+44 (0) 7974 249
494
E:
robert.rutherford@xxxxxxxxxxx
W:
www.quostar.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Lagreca
Sent: 15 May 2006 16:57
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Is there a
way to force users to logon to domain?
Is there a way to force users to logon to domain, or to disable loging
into local computer accounts via GPO?
Thanks. | | | |
| amulnick
Posts:163
| | 05/15/2006 8:43 AM |
| I think you've seen several ways of achieving something similar to
what you've asked for. But I'm curious as to what you really want to
accomplish. You've put something very specific, but what makes you
want to force the logon? What's the backstory?
Al
On 5/15/06, Joe Lagreca wrote:
Is there a way to force users to logon to domain, or to disable loging into
local computer accounts via GPO?
Thanks. | | | |
| listmail
Posts:822
| | 05/15/2006 9:47 AM |
| Crap, more blank emails from Al. Al, use hotmail or
something. ;)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al
MulnickSent: Monday, May 15, 2006 4:38 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Is there a way
to force users to logon to domain? | | | |
| TonyTest
Posts:0
| | 05/15/2006 10:10 AM |
| I have a rule that auto-deletes Al™s emails as a matter of
course. J
I can confirm what others have said “ that the emails are visible
in Outlook 2007. Still checking to see if there is a way to resolve
this on the list server side, but haven™t found anything yet.
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Tuesday, 16 May 2006 9:42 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Is there a way to force users to logon to
domain?
Crap,
more blank emails from Al. Al, use hotmail or something. ;)
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Monday, May 15, 2006 4:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. | | | |
| sbradcpa
Posts:496
| | 05/15/2006 10:14 AM |
| Mine wasn't blank...there is however a funky code down there....but it's
not blank...
Al Mulnick wrote:
I think you've seen several ways of achieving something similar to
what you've asked for. But I'm curious as to what you really want to
accomplish. You've put something very specific, but what makes you
want to force the logon? What's the backstory?
Al
On 5/15/06, Joe Lagreca wrote:
Is there a way to force users to logon to domain, or to disable
loging into
local computer accounts via GPO?
Thanks.
.+-�w��i��0�-��+���֬����@B�m�������+�v*��ˊ�E������֫r��z�m����
��V�r��y�&�-��4���i�b��b���/===
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| lists1
Posts:6
| | 05/15/2006 10:38 AM |
| What
about the origin - are they created using OL2k7? If so must be a new bug - I was
using a bit older version for quite a while (and everything was readable), but
it almost corupted my mailstore - so I switched temporarily
back.
Gruesse -
Sincerely,
Ulf B.
Simon-Weidner
Profile
& Publications: http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony
MurraySent: Tuesday, May 16, 2006 12:10 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Is there a way
to force users to logon to domain?
I have a rule that
auto-deletes Al™s emails as a matter of course. J
I can confirm what
others have said “ that the emails are visible in Outlook 2007.
Still checking to see if there is a way to resolve this on the list server
side, but haven™t found anything yet.
Tony
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Tuesday, 16 May 2006 9:42
a.m.To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Is there a way to force users to logon to
domain?
Crap, more blank
emails from Al. Al, use hotmail or something. ;)
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Al MulnickSent: Monday, May 15, 2006 4:38
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re:
[ActiveDir] Is there a way to force users to logon to
domain?
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. | | | |
| lagreca
Posts:0
| | 05/16/2006 2:33 AM |
| Al and others,
We are retrofitting previously deployed workstations. Some have local
logins, while others do not. I was just wondering if there is a way,
via GPO, to force all users to log into the domain, instead of giving
them the option to log into their local machine.
I have been told that "In a GPO set the cached logon setting to "0"
and make sure "allow logon locally" is only set to Admins." will not
work. However I still need to test this myself. I was told "allow
logon locally" will make it so all unlisted users will not be able to
login from that workstation, whether its locally or to the domain.
I realize their profiles wouldn't copy, and we can deal with that afterwards.
Thanks.
Joe
On 5/15/06, Al Mulnick wrote:
I think you've seen several ways of achieving something similar to
what you've asked for. But I'm curious as to what you really want to
accomplish. You've put something very specific, but what makes you
want to force the logon? What's the backstory?
Al
On 5/15/06, Joe Lagreca wrote:
> Is there a way to force users to logon to domain, or to disable loging into
> local computer accounts via GPO?
>
> Thanks.
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sergio.olivarez@xxxx.yyy
| | 05/16/2006 3:05 AM |
| Yeah, disregard what I said about just leaving Admins on the "allow logon
locally" setting, that's my bad. I guess best thing to do would be delete
all existing local user accounts.
-Sergio
-----Original Message-----
From: Joe Lagreca [mailto:lagreca@xxxxxxxxx]
Sent: Monday, May 15, 2006 7:33 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?
Al and others,
We are retrofitting previously deployed workstations. Some have local
logins, while others do not. I was just wondering if there is a way,
via GPO, to force all users to log into the domain, instead of giving
them the option to log into their local machine.
I have been told that "In a GPO set the cached logon setting to "0"
and make sure "allow logon locally" is only set to Admins." will not
work. However I still need to test this myself. I was told "allow
logon locally" will make it so all unlisted users will not be able to
login from that workstation, whether its locally or to the domain.
I realize their profiles wouldn't copy, and we can deal with that
afterwards.
Thanks.
Joe
On 5/15/06, Al Mulnick wrote:
> I think you've seen several ways of achieving something similar to
> what you've asked for. But I'm curious as to what you really want to
> accomplish. You've put something very specific, but what makes you
> want to force the logon? What's the backstory?
>
> Al
>
> On 5/15/06, Joe Lagreca wrote:
> > Is there a way to force users to logon to domain, or to disable loging
into
> > local computer accounts via GPO?
> >
> > Thanks.
> >
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| adwulf
Posts:93
| | 05/16/2006 3:26 AM |
| On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
Yeah, disregard what I said about just leaving Admins on the "allow logon
locally" setting, that's my bad. I guess best thing to do would be delete
all existing local user accounts.
Can you actually delete localhost\administrator on NT4/2K/XP workstations?
--
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| lagreca
Posts:0
| | 05/16/2006 3:46 AM |
| Sergio,
That is the approach we are going to take. Write a script to run at
start up to delete all local accounts, except administrator, which
only we should know the password for.
Do you have any ideas on how to change local account passwords via GPO
or remotely? We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.
Thank you.
Joe
On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
Yeah, disregard what I said about just leaving Admins on the "allow logon
locally" setting, that's my bad. I guess best thing to do would be delete
all existing local user accounts.
-Sergio
-----Original Message-----
From: Joe Lagreca [mailto:lagreca@xxxxxxxxx]
Sent: Monday, May 15, 2006 7:33 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?
Al and others,
We are retrofitting previously deployed workstations. Some have local
logins, while others do not. I was just wondering if there is a way,
via GPO, to force all users to log into the domain, instead of giving
them the option to log into their local machine.
I have been told that "In a GPO set the cached logon setting to "0"
and make sure "allow logon locally" is only set to Admins." will not
work. However I still need to test this myself. I was told "allow
logon locally" will make it so all unlisted users will not be able to
login from that workstation, whether its locally or to the domain.
I realize their profiles wouldn't copy, and we can deal with that
afterwards.
Thanks.
Joe
On 5/15/06, Al Mulnick wrote:
> I think you've seen several ways of achieving something similar to
> what you've asked for. But I'm curious as to what you really want to
> accomplish. You've put something very specific, but what makes you
> want to force the logon? What's the backstory?
>
> Al
>
> On 5/15/06, Joe Lagreca wrote:
> > Is there a way to force users to logon to domain, or to disable loging
into
> > local computer accounts via GPO?
> >
> > Thanks.
> >
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| FreddyHARTONO
Posts:19
| | 05/16/2006 3:54 AM |
| Even if that is possible by any means - what are you going to do if the
computer falls out of the domain.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
phone: (+65) 6330-9785
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: Tuesday, May 16, 2006 11:26 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?
On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow
> logon locally" setting, that's my bad. I guess best thing to do would
> be delete all existing local user accounts.
>
Can you actually delete localhost\administrator on NT4/2K/XP workstations?
--
AdamT
"A casual stroll through the lunatic asylum shows that faith does not prove
anything." - Nietzsche
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| robertrutherford5
Posts:0
| | 05/16/2006 4:06 AM |
| No, and I always find it a relief to have a local admin account in a
failure situation.
Robert Rutherford
QuoStar Solutions Limited
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: 16 May 2006 16:26
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow
logon
> locally" setting, that's my bad. I guess best thing to do would be
delete
> all existing local user accounts.
>
Can you actually delete localhost\administrator on NT4/2K/XP
workstations?
--
AdamT
"A casual stroll through the lunatic asylum shows that faith does not
prove anything." - Nietzsche
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sergio.olivarez@xxxx.yyy
| | 05/16/2006 4:23 AM |
| Yeah make sure you leave all administrative accounts alone and disable the
guest account.
As for changing the password, you can always connect to it remotely via
Computer management (compmgmt.msc) or script it.
-Sergio
-----Original Message-----
From: Joe Lagreca [mailto:lagreca@xxxxxxxxx]
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?
Sergio,
That is the approach we are going to take. Write a script to run at
start up to delete all local accounts, except administrator, which
only we should know the password for.
Do you have any ideas on how to change local account passwords via GPO
or remotely? We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.
Thank you.
Joe
On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow logon
> locally" setting, that's my bad. I guess best thing to do would be delete
> all existing local user accounts.
>
> -Sergio
> -----Original Message-----
> From: Joe Lagreca [mailto:lagreca@xxxxxxxxx]
> Sent: Monday, May 15, 2006 7:33 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?
>
> Al and others,
>
> We are retrofitting previously deployed workstations. Some have local
> logins, while others do not. I was just wondering if there is a way,
> via GPO, to force all users to log into the domain, instead of giving
> them the option to log into their local machine.
>
> I have been told that "In a GPO set the cached logon setting to "0"
> and make sure "allow logon locally" is only set to Admins." will not
> work. However I still need to test this myself. I was told "allow
> logon locally" will make it so all unlisted users will not be able to
> login from that workstation, whether its locally or to the domain.
>
> I realize their profiles wouldn't copy, and we can deal with that
> afterwards.
>
> Thanks.
>
> Joe
>
>
> On 5/15/06, Al Mulnick wrote:
> > I think you've seen several ways of achieving something similar to
> > what you've asked for. But I'm curious as to what you really want to
> > accomplish. You've put something very specific, but what makes you
> > want to force the logon? What's the backstory?
> >
> > Al
> >
> > On 5/15/06, Joe Lagreca wrote:
> > > Is there a way to force users to logon to domain, or to disable loging
> into
> > > local computer accounts via GPO?
> > >
> > > Thanks.
> > >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000893
Posts:0
| | 05/16/2006 4:37 AM |
| I have over 100 randomly generated local admin passwords. If I forget
the password and the account gets corrupted in AD than I just hack the
local admin password. No one logs on locally period!
-Z.V.
Robert Rutherford wrote:
No, and I always find it a relief to have a local admin account in a
failure situation.
Robert Rutherford
QuoStar Solutions Limited
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AdamT
Sent: 16 May 2006 16:26
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
Yeah, disregard what I said about just leaving Admins on the "allow
logon
locally" setting, that's my bad. I guess best thing to do would be
delete
all existing local user accounts.
Can you actually delete localhost\administrator on NT4/2K/XP
workstations? | | | |
| davewade
Posts:116
| | 05/16/2006 4:51 AM |
| You can set the password in the startup script, but it's a bit open to
hacking. You can use an encrypted VB Script but those are pretty easy to
decrypt. There is also a tool around that will let you do it remotely.
You could also assign the "logon locally" rights to say "domain users" &
"administrator".
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Lagreca
Sent: 16 May 2006 16:31
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
Sergio,
That is the approach we are going to take. Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.
Do you have any ideas on how to change local account passwords via GPO
or remotely? We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.
Thank you.
Joe
On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow
> logon locally" setting, that's my bad. I guess best thing to do would
> be delete all existing local user accounts.
>
> -Sergio
> -----Original Message-----
> From: Joe Lagreca [mailto:lagreca@xxxxxxxxx]
> Sent: Monday, May 15, 2006 7:33 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
>
> Al and others,
>
> We are retrofitting previously deployed workstations. Some have local
> logins, while others do not. I was just wondering if there is a way,
> via GPO, to force all users to log into the domain, instead of giving
> them the option to log into their local machine.
>
> I have been told that "In a GPO set the cached logon setting to "0"
> and make sure "allow logon locally" is only set to Admins." will not
> work. However I still need to test this myself. I was told "allow
> logon locally" will make it so all unlisted users will not be able to
> login from that workstation, whether its locally or to the domain.
>
> I realize their profiles wouldn't copy, and we can deal with that
> afterwards.
>
> Thanks.
>
> Joe
>
>
> On 5/15/06, Al Mulnick wrote:
> > I think you've seen several ways of achieving something similar to
> > what you've asked for. But I'm curious as to what you really want
> > to accomplish. You've put something very specific, but what makes
> > you want to force the logon? What's the backstory?
> >
> > Al
> >
> > On 5/15/06, Joe Lagreca wrote:
> > > Is there a way to force users to logon to domain, or to disable
> > > loging
> into
> > > local computer accounts via GPO?
> > >
> > > Thanks.
> > >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via email.query@xxxxxxxxxxxxxxxx and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001552
Posts:0
| | 05/16/2006 5:18 AM |
| You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to "Domain Computers" and relevant IT Admin staff.
The script works even if the local Admin account name has been changed.
I don't recall where I got the original copy of the script.
Devin
=====================================================
Option Explicit
Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser
On Error Resume Next
Set objShell = WScript.CreateObject("WScript.Shell")
Set objNet = CreateObject("WScript.Network")
sNewPassword = "PutSomeReallyLongPasswordHere"
sComputer = objNet.ComputerName
sAdminName = GetAdministratorName
Set oUser = GetObject("WinNT://" & sComputer & "/" & sAdminName &
",user")
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0
objShell.LogEvent 4, "LP startup script LP04 run record."
'=======================================================================
===
' Get Admin Account Name
'=======================================================================
===
Function GetAdministratorName()
Dim sUserSID, objNet, oUserAccount
Set objNet = CreateObject("WScript.Network")
Set oUserAccounts = GetObject( _
"winmgmts://" & objNet.ComputerName & "/root/cimv2") _
.ExecQuery("Select Name, SID from Win32_UserAccount" _
& " WHERE Domain = '" & objNet.ComputerName & "'")
On Error Resume Next
For Each oUserAccount In oUserAccounts
If Left(oUserAccount.SID, 9) = "S-1-5-21-" And _
Right(oUserAccount.SID, 4) = "-500" Then
GetAdministratorName = oUserAccount.Name
Exit For
End if
Next
End Function
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
Sergio,
That is the approach we are going to take. Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.
Do you have any ideas on how to change local account passwords via GPO
or remotely? We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.
Thank you.
Joe
On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow
> logon locally" setting, that's my bad. I guess best thing to do would
> be delete all existing local user accounts.
>
> -Sergio
> -----Original Message-----
> From: Joe Lagreca [mailto:lagreca@xxxxxxxxx]
> Sent: Monday, May 15, 2006 7:33 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
>
> Al and others,
>
> We are retrofitting previously deployed workstations. Some have local
> logins, while others do not. I was just wondering if there is a way,
> via GPO, to force all users to log into the domain, instead of giving
> them the option to log into their local machine.
>
> I have been told that "In a GPO set the cached logon setting to "0"
> and make sure "allow logon locally" is only set to Admins." will not
> work. However I still need to test this myself. I was told "allow
> logon locally" will make it so all unlisted users will not be able to
> login from that workstation, whether its locally or to the domain.
>
> I realize their profiles wouldn't copy, and we can deal with that
> afterwards.
>
> Thanks.
>
> Joe
>
>
> On 5/15/06, Al Mulnick wrote:
> > I think you've seen several ways of achieving something similar to
> > what you've asked for. But I'm curious as to what you really want
> > to accomplish. You've put something very specific, but what makes
> > you want to force the logon? What's the backstory?
> >
> > Al
> >
> > On 5/15/06, Joe Lagreca wrote:
> > > Is there a way to force users to logon to domain, or to disable
> > > loging
> into
> > > local computer accounts via GPO?
> > >
> > > Thanks.
> > >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| mark.parris@xxxx.yyy
| | 05/16/2006 5:24 AM |
| You could give everyone a domain controller?
Seriously though, we have a custom application that sits on the client and when it joins the domain, it generates a random 16 character password which it writes to a SQL database. From then on the sql database owns the computer, if you need to regenerate a new password just push the button on a web front end and it resets it and writes it to the database.
Mark
-----Original Message-----
From: "Dave Wade"
Date: Tue, 16 May 2006 17:28:29
To:
Subject: RE: [ActiveDir] Is there a way to force users to logon to domain?
You can set the password in the startup script, but it's a bit open to
hacking. You can use an encrypted VB Script but those are pretty easy to
decrypt. There is also a tool around that will let you do it remotely.
You could also assign the "logon locally" rights to say "domain users" &
"administrator".
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Lagreca
Sent: 16 May 2006 16:31
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
Sergio,
That is the approach we are going to take. Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.
Do you have any ideas on how to change local account passwords via GPO
or remotely? We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.
Thank you.
Joe
On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow
> logon locally" setting, that's my bad. I guess best thing to do would
> be delete all existing local user accounts.
>
> -Sergio
> -----Original Message-----
> From: Joe Lagreca [mailto:lagreca@xxxxxxxxx]
> Sent: Monday, May 15, 2006 7:33 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
>
> Al and others,
>
> We are retrofitting previously deployed workstations. Some have local
> logins, while others do not. I was just wondering if there is a way,
> via GPO, to force all users to log into the domain, instead of giving
> them the option to log into their local machine.
>
> I have been told that "In a GPO set the cached logon setting to "0"
> and make sure "allow logon locally" is only set to Admins." will not
> work. However I still need to test this myself. I was told "allow
> logon locally" will make it so all unlisted users will not be able to
> login from that workstation, whether its locally or to the domain.
>
> I realize their profiles wouldn't copy, and we can deal with that
> afterwards.
>
> Thanks.
>
> Joe
>
>
> On 5/15/06, Al Mulnick wrote:
> > I think you've seen several ways of achieving something similar to
> > what you've asked for. But I'm curious as to what you really want
> > to accomplish. You've put something very specific, but what makes
> > you want to force the logon? What's the backstory?
> >
> > Al
> >
> > On 5/15/06, Joe Lagreca wrote:
> > > Is there a way to force users to logon to domain, or to disable
> > > loging
> into
> > > local computer accounts via GPO?
> > >
> > > Thanks.
> > >
> >
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via email.query@xxxxxxxxxxxxxxxx and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|