Ability to logon after account has been disabled

  • Thread starter Thread starter Bob
  • Start date Start date
B

Bob

I have an account locked out and the user was able to
enter User name, unplug the network hub, enter a
ficticious password, and then plug the power back into
the hub and the PC logged on and reconnected to Domain
resources like Internet Explorer, etc. How can I fix
this??
 
I tend to doubt it was a fictitious password. What happens is by default W2K allows
"cached credentials" so that a user can log into their local machine when a domain
controller is unable to authenticate their account. The purpose is to allow users to
still use their local machine, but obviously people have found out how to abuse it.
There is a security option that can be configured at various levels such as local,
domain, or Organizational Unit to disable it. For instance in Local Security Policy
it would be in security settings/local policies/security options - number of previous
logons to cache. Set it to zero to not allow domain cached logons. That will not
stop a user from logging on to a local machine account if they have one - possibly
one you do not know about. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain unavailable for some logons 8
Cannot Logon to Domain 1
interactive logon has been disabled 3
Account Lockout... 2
User locked out with event 537 under type 11 logon 7
Account Lockout 1
Excessive computer account logon/logoff loggining on security log 5
Windows XP Windows XP SP3 clients hang at wallpaper after logon to Windows 2000 domain 2

Back
Top