Workstation lockdown

  • Thread starter Thread starter Bob Schaber
  • Start date Start date
B

Bob Schaber

Could anyone offer up advice? I have mobile laptops which need domain
membership to work. I can log onto the domain and it will cache the domain
info so they may log in when not connected..... Thats good for me.
Problem is I need to lock down these computers via a policy of sorts but I
need to unloack policy if administrator account is used. I have to make sure
this will work with or without network connectivity.
 
If you are logging on as a local administrator, then Group Policy "user"
configuration will not apply to you or any other local machine logon. If you
want to use domain Group Policy, then filter the policy so that it does not
apply to the administrators group by giving the administrators group deny to
apply in the security page of the GPO itself which is called filtering and
explained in more detail in KB link below. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
 
Great info and thanks for the prompt response... One last question.... If
these machines will be disconnected much of the time will every user that is
going to use the machine need to logon while connected or does it actually
bring down the whole sam at a single user logon. Forgive me if my
terminology is incorrect.
 
By default, a W2K domain member will be able to cache logons for ten domain
user accounts and each user that will need to use that computer will need to
logon to the live network in order to have a cached logon available. The
cached logon number can be changed in Local Security Policy/security
settings/local policies/security options. --- Steve
 
microsoft.public.win2000.security news group, Bob Schaber
Great info and thanks for the prompt response... One last question.... If
these machines will be disconnected much of the time will every user that is
going to use the machine need to logon while connected or does it actually
bring down the whole sam at a single user logon. Forgive me if my
terminology is incorrect.
Click to expand...


The SAM (accounts database) is never transferred over the wire to a
client. A user will have to logon to the system at least once while a
domain controller is reachable, otherwise, they won't be able to use
cached credentials.
 
-----Original Message-----
Could anyone offer up advice? I have mobile laptops which need domain
membership to work. I can log onto the domain and it will cache the domain
info so they may log in when not connected..... Thats good for me.
Problem is I need to lock down these computers via a policy of sorts but I
need to unloack policy if administrator account is used. I have to make sure
this will work with or without network connectivity.

Try setting security on the GPO so that it does not apply
Click to expand...
to administrator, setup an exculsion for admins for that
policy. good luck
 
Back
Top