GPO prevent logon

[Guest]

I have a number of laptop users that I want to lock down, they can currently
disconnect there laptops from the domain and still logon with the same
password when out of the office.

I want to disable this and use hardware profiles seting up a local account
for them to login with.

Problem is they will still be able to login with there domain account, there
must be away to disable logon if network isn't present but I can't find the
setting, can someone point me in the right direction.

Thanks in advance

 

[Guest]

Hi,

The trick with this is the "cached credentials" or the "profile". The only
way to do this is to 1> Enable Roaming Profiles. 2> Force the profiles to
delete on logoff. There are a few settings you have to enable.

Group Policy - Computer Group Policy - Win Settings-Security Settings -
Local Policies - Security Options - "Interactive Logon: Number to Cache in
case Domain Controller unavailable - Set to 0"

Group Poliy - Computer Config -Admin Templates - Syste - User Profiles -
Delete cached copy of Roaming Profiles - Enabled.

I also have a "startup" Script that promptly deletes all cached profiles
except the ones I specified. That way it clears all cached profiles on
startup.

Cheers,

Lara