Hi
To disconnect users from network:
Use the Default domain policy.
Computer Configuration -> Windows Settings -> Security Settings -> Security
options:
Configure the Microsoft network server: Disconnect client when logon hours
expire setting to Enabled. Careful if logon hours are not used, this policy
setting will have no impact.
Microsoft network server: Disconnect clients when logon hours expire: This
policy setting determines whether to disconnect users who are connected to
the local computer outside their user account's valid logon hours. This
policy setting affects the server message block (SMB) component. When it is
enabled, client sessions with the SMB service are forcibly disconnected when
the client's logon hours expire. If it is disabled, an established client
session is allowed to be maintained after the client's logon hours have
expired. If you enable this policy setting, you should also enable the
Network security: Force logoff when logon hours expire setting. If your
organization has configured logon hours for users, then it makes sense to
enable the Microsoft network server: Disconnect client when logon hours
expire setting. Otherwise, users who should not have access to network
resources outside of their logon hours may actually be able to continue to
use those resources with sessions that were established during allowed
hours.
Then go to the user properties and configure the logon hours.
To to Force LogOff:
If you enable the Network Security: Force Logoff when Logon Hours expire
setting, client sessions with the SMB server will be forcibly disconnected
when the user's logon hours expire. The user will be unable to log on to the
computer until their next scheduled access time. If you disable this policy
setting, users will be able to maintain an established client session after
their logon hours expire. To affect domain accounts, this setting must be
defined in the Default Domain Policy.
Force Logoff using shutdown command:
shutdown -l
To enable auto logon in Windows 2000/XP with a domain system, you need to
edit the registry. So this means that user changed the registry to be able
to auto-logon.
For the Auto logon accours the following values exists under :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoAdminLogon = 1
DefaultPassword = UserPassword (UserPassword is the password for that user)
NOTE:
If this is true then you should go talk with the user and give him a pair of
slaps (just kiding), because this isn't very smart. You see if you have
another "SmartUser" that user can use the regedit to remotley connect to the
computer registry and read the user's password.
Now, if the user was able to change the registry is because he is probably
machine administrator, and you shouldn't allow this, if for some reason he
needs to have a Administrator account, you should create a domain user
account which he should use in his normal logon, and cretae a second Account
with administration privileges then use the runas command to run especific
apps, etc.
(If you use Registry Editor incorrectly, you can cause serious problems that
may require you to reinstall your operating system)
To solve this problem you can:
1 - Use regedit - > file -> connect to remote registry -> select the target
machine
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
Delete the - DefaultPassword
Change the - AutoAdminLogon = 1 to AutoAdminLogon = 0
Prevent the user from being Local Administrator using Restricted Groups
policy. Be sure that you understand how Restricted Groups Policy works:
http://www.microsoft.com/resources/...ocs/en-us/sag_scerestrictgroups.mspx?mfr=true
Check - Microsoft Windows 2000 Security for more information
http://www.microsoft.com/technet/security/prodtech/Windows2000/win2khg/05sconfg.mspx
I hop that helps
Good Luck
Jorge Silva
MCSA
Systems Administrator
