RE: [ActiveDir] Is there a way to force users to logon to domain?

Tue, 16 May 2006 10:18:08 -0700 

You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to "Domain Computers" and relevant IT Admin staff.

The script works even if the local Admin account name has been changed.

I don't recall where I got the original copy of the script.

Devin


=====================================================
Option Explicit

Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser

On Error Resume Next

Set objShell = WScript.CreateObject("WScript.Shell")
Set objNet = CreateObject("WScript.Network")

sNewPassword = "PutSomeReallyLongPasswordHere"

sComputer = objNet.ComputerName
sAdminName = GetAdministratorName

Set oUser = GetObject("WinNT://" & sComputer & "/" & sAdminName &
",user")
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0

objShell.LogEvent 4, "LP startup script LP04 run record."

'=======================================================================
===
' Get Admin Account Name
'=======================================================================
===

Function GetAdministratorName()
    Dim sUserSID, objNet, oUserAccount
    Set objNet = CreateObject("WScript.Network")
    Set oUserAccounts = GetObject( _
         "winmgmts://" & objNet.ComputerName & "/root/cimv2") _
         .ExecQuery("Select Name, SID from Win32_UserAccount" _
       & " WHERE Domain = '" & objNet.ComputerName & "'")

    On Error Resume Next
    For Each oUserAccount In oUserAccounts
      If Left(oUserAccount.SID, 9) = "S-1-5-21-" And _
         Right(oUserAccount.SID, 4) = "-500" Then
        GetAdministratorName = oUserAccount.Name
        Exit For
      End if
    Next
End Function


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
<[EMAIL PROTECTED]> wrote:
> Yeah, disregard what I said about just leaving Admins on the "allow 
> logon locally" setting, that's my bad.  I guess best thing to do would

> be delete all existing local user accounts.
>
> -Sergio
> -----Original Message-----
> From: Joe Lagreca [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 15, 2006 7:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?
>
> Al and others,
>
> We are retrofitting previously deployed workstations.  Some have local

> logins, while others do not.  I was just wondering if there is a way, 
> via GPO, to force all users to log into the domain, instead of giving 
> them the option to log into their local machine.
>
> I have been told that "In a GPO set the cached logon setting to "0"
> and make sure "allow logon locally" is only set to Admins." will not 
> work.  However I still need to test this myself.  I was told "allow 
> logon locally" will make it so all unlisted users will not be able to 
> login from that workstation, whether its locally or to the domain.
>
> I realize their profiles wouldn't copy, and we can deal with that 
> afterwards.
>
> Thanks.
>
> Joe
>
>
> On 5/15/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
> > I think you've seen several ways of achieving something similar to 
> > what you've asked for.  But I'm curious as to what you really want 
> > to accomplish.  You've put something very specific, but what makes 
> > you want to force the logon?  What's the backstory?
> >
> > Al
> >
> > On 5/15/06, Joe Lagreca <[EMAIL PROTECTED]> wrote:
> > > Is there a way to force users to logon to domain, or to disable 
> > > loging
> into
> > > local computer accounts via GPO?
> > >
> > > Thanks.
> > >
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to