> -----Original Message-----
> From: Laura A. Robinson [mailto:larobins (at) bellatlantic (dot) net [email concealed]]
> Sent: Saturday, January 29, 2005 2:24 PM
> To: Ghetti, Tim; 'Manuel Sousa'; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Domain logon without network connection + group policies
>
>
> > Through group policy, you can forbid logon without DC
> authentication.
>
> Actually, the setting to which I believe you refer is for
> *unlocking* machines, not logging into them in the first place.
Actually, this is the setting I'm talking about.
(Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\Number of previous logons to cache)
> (Computer Configuration\Windows Settings\Security
> Settings\Local Policies\Security Options\Interactive logon:
> Require Domain Controller authentication to unlock workstation)
>
> Additionally, one can be authenticated by a DC without
> pulling down policies. Tricky timing, but authentication and
> group policy processing are separate processes
This is true, but if you set the following, in addition, windows waits
for all GP's before even giving the user the option to log in.
(Computer Configuration\Administrative Templates\System\logon\Always
wait for the network at computer startup and logon)
Not to mention, I belienve 200 pro, processes all gp's before logon
> > Under Security in GP "Number of previous logons to cache"
> > Change this to 0.
>
> See above.
> >
> > *****word of warning though,
> > if you have any laptop users, you will run into a rather
> big problem.
> > They will not be able to use their system off the network.
> > Another option if forcing a group policy refresh. The
> normal operation
> > is that every 90-120 minutes GP refreshes, but only if the version
> > number has changed (you've made a policy change). You can
> force GP to
> > refresh every X minutes regardless. Under GP go to --- Computer
> > Configuration --> Administrative Templates --> System --> Group
> > Policy, and configure it there.
>
> As the OP mentioned, this won't work if they've never gotten
> the policy in the first place.
>
>
> Laura
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
>
> -----Original Message-----
> From: Laura A. Robinson [mailto:larobins (at) bellatlantic (dot) net [email concealed]]
> Sent: Saturday, January 29, 2005 2:24 PM
> To: Ghetti, Tim; 'Manuel Sousa'; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Domain logon without network connection + group policies
>
>
> > Through group policy, you can forbid logon without DC
> authentication.
>
> Actually, the setting to which I believe you refer is for
> *unlocking* machines, not logging into them in the first place.
Actually, this is the setting I'm talking about.
(Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\Number of previous logons to cache)
> (Computer Configuration\Windows Settings\Security
> Settings\Local Policies\Security Options\Interactive logon:
> Require Domain Controller authentication to unlock workstation)
>
> Additionally, one can be authenticated by a DC without
> pulling down policies. Tricky timing, but authentication and
> group policy processing are separate processes
This is true, but if you set the following, in addition, windows waits
for all GP's before even giving the user the option to log in.
(Computer Configuration\Administrative Templates\System\logon\Always
wait for the network at computer startup and logon)
Not to mention, I belienve 200 pro, processes all gp's before logon
> > Under Security in GP "Number of previous logons to cache"
> > Change this to 0.
>
> See above.
> >
> > *****word of warning though,
> > if you have any laptop users, you will run into a rather
> big problem.
> > They will not be able to use their system off the network.
> > Another option if forcing a group policy refresh. The
> normal operation
> > is that every 90-120 minutes GP refreshes, but only if the version
> > number has changed (you've made a policy change). You can
> force GP to
> > refresh every X minutes regardless. Under GP go to --- Computer
> > Configuration --> Administrative Templates --> System --> Group
> > Policy, and configure it there.
>
> As the OP mentioned, this won't work if they've never gotten
> the policy in the first place.
>
>
> Laura
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]