> -----Original Message-----
> From: Ghetti, Tim [mailto:tghetti (at) air-worldwide (dot) com [email concealed]]
> Sent: Monday, January 31, 2005 6:06 PM
> To: larobins (at) bellatlantic (dot) net [email concealed]; Manuel Sousa;
> focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Domain logon without network connection + group policies
>
> comments inline...
>
> > -----Original Message-----
> > From: Laura A. Robinson [mailto:larobins (at) bellatlantic (dot) net [email concealed]]
> > Sent: Saturday, January 29, 2005 2:24 PM
> > To: Ghetti, Tim; 'Manuel Sousa'; focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Domain logon without network connection +
> group policies
> >
> >
> > > Through group policy, you can forbid logon without DC
> > authentication.
> >
> > Actually, the setting to which I believe you refer is for
> > *unlocking* machines, not logging into them in the first place.
>
> Actually, this is the setting I'm talking about.
> (Computer Configuration\Windows Settings\Security
> Settings\Local Policies\Security Options\Number of previous
> logons to cache)
Um, you specified a setting to disallow logon without DC authentication; it
was that to which I replied. I am familiar with the caching setting, but
that isn't what I was talking about. That is why I put it the setting to
which you *were* referring right there in the next paragraph. :-)
>
> > (Computer Configuration\Windows Settings\Security Settings\Local
> > Policies\Security Options\Interactive logon:
> > Require Domain Controller authentication to unlock workstation)
> >
> > Additionally, one can be authenticated by a DC without pulling down
> > policies. Tricky timing, but authentication and group policy
> > processing are separate processes
>
> This is true, but if you set the following, in addition,
> windows waits for all GP's before even giving the user the
> option to log in.
Yes, but that's not the setting to which you referred.
> (Computer Configuration\Administrative
> Templates\System\logon\Always wait for the network at
> computer startup and logon) Not to mention, I belienve 200
> pro, processes all gp's before logon
That is a modifiable setting in both user and computer configuration in
Win2K, actually. It's just the default behavior that changed from Win2K to
XP.
>
> > > Under Security in GP "Number of previous logons to cache"
> > > Change this to 0.
> >
> > See above.
> -----Original Message-----
> From: Ghetti, Tim [mailto:tghetti (at) air-worldwide (dot) com [email concealed]]
> Sent: Monday, January 31, 2005 6:06 PM
> To: larobins (at) bellatlantic (dot) net [email concealed]; Manuel Sousa;
> focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Domain logon without network connection + group policies
>
> comments inline...
>
> > -----Original Message-----
> > From: Laura A. Robinson [mailto:larobins (at) bellatlantic (dot) net [email concealed]]
> > Sent: Saturday, January 29, 2005 2:24 PM
> > To: Ghetti, Tim; 'Manuel Sousa'; focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Domain logon without network connection +
> group policies
> >
> >
> > > Through group policy, you can forbid logon without DC
> > authentication.
> >
> > Actually, the setting to which I believe you refer is for
> > *unlocking* machines, not logging into them in the first place.
>
> Actually, this is the setting I'm talking about.
> (Computer Configuration\Windows Settings\Security
> Settings\Local Policies\Security Options\Number of previous
> logons to cache)
Um, you specified a setting to disallow logon without DC authentication; it
was that to which I replied. I am familiar with the caching setting, but
that isn't what I was talking about. That is why I put it the setting to
which you *were* referring right there in the next paragraph. :-)
>
> > (Computer Configuration\Windows Settings\Security Settings\Local
> > Policies\Security Options\Interactive logon:
> > Require Domain Controller authentication to unlock workstation)
> >
> > Additionally, one can be authenticated by a DC without pulling down
> > policies. Tricky timing, but authentication and group policy
> > processing are separate processes
>
> This is true, but if you set the following, in addition,
> windows waits for all GP's before even giving the user the
> option to log in.
Yes, but that's not the setting to which you referred.
> (Computer Configuration\Administrative
> Templates\System\logon\Always wait for the network at
> computer startup and logon) Not to mention, I belienve 200
> pro, processes all gp's before logon
That is a modifiable setting in both user and computer configuration in
Win2K, actually. It's just the default behavior that changed from Win2K to
XP.
>
> > > Under Security in GP "Number of previous logons to cache"
> > > Change this to 0.
> >
> > See above.
I didn't dispute this. See above.
Laura
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]