Ability to logon after account has been disabled

  • Thread starter Thread starter Bob
  • Start date Start date
B

Bob

I have an account locked out and the user was able to
enter User name, unplug the network hub, enter a
ficticious password, and then plug the power back into
the hub and the PC logged on and reconnected to Domain
resources like Internet Explorer, etc. How can I fix
this??
 
I tend to doubt it was a fictitious password. What happens is by default W2K allows
"cached credentials" so that a user can log into their local machine when a domain
controller is unable to authenticate their account. The purpose is to allow users to
still use their local machine, but obviously people have found out how to abuse it.
There is a security option that can be configured at various levels such as local,
domain, or Organizational Unit to disable it. For instance in Local Security Policy
it would be in security settings/local policies/security options - number of previous
logons to cache. Set it to zero to not allow domain cached logons. That will not
stop a user from logging on to a local machine account if they have one - possibly
one you do not know about. --- Steve
 
Back
Top