You could give everyone a domain controller? Seriously though, we have a custom application that sits on the client and when it joins the domain, it generates a random 16 character password which it writes to a SQL database. From then on the sql database owns the computer, if you need to regenerate a new password just push the button on a web front end and it resets it and writes it to the database.
Mark -----Original Message----- From: "Dave Wade" <[EMAIL PROTECTED]> Date: Tue, 16 May 2006 17:28:29 To:<ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] Is there a way to force users to logon to domain? You can set the password in the startup script, but it's a bit open to hacking. You can use an encrypted VB Script but those are pretty easy to decrypt. There is also a tool around that will let you do it remotely. You could also assign the "logon locally" rights to say "domain users" & "administrator". -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca Sent: 16 May 2006 16:31 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? Sergio, That is the approach we are going to take. Write a script to run at start up to delete all local accounts, except administrator, which only we should know the password for. Do you have any ideas on how to change local account passwords via GPO or remotely? We would like to change the administrator passwords initially, and probably like to change it on a continual basis. Thank you. Joe On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS <[EMAIL PROTECTED]> wrote: > Yeah, disregard what I said about just leaving Admins on the "allow > logon locally" setting, that's my bad. I guess best thing to do would > be delete all existing local user accounts. > > -Sergio > -----Original Message----- > From: Joe Lagreca [mailto:[EMAIL PROTECTED] > Sent: Monday, May 15, 2006 7:33 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? > > Al and others, > > We are retrofitting previously deployed workstations. Some have local > logins, while others do not. I was just wondering if there is a way, > via GPO, to force all users to log into the domain, instead of giving > them the option to log into their local machine. > > I have been told that "In a GPO set the cached logon setting to "0" > and make sure "allow logon locally" is only set to Admins." will not > work. However I still need to test this myself. I was told "allow > logon locally" will make it so all unlisted users will not be able to > login from that workstation, whether its locally or to the domain. > > I realize their profiles wouldn't copy, and we can deal with that > afterwards. > > Thanks. > > Joe > > > On 5/15/06, Al Mulnick <[EMAIL PROTECTED]> wrote: > > I think you've seen several ways of achieving something similar to > > what you've asked for. But I'm curious as to what you really want > > to accomplish. You've put something very specific, but what makes > > you want to force the logon? What's the backstory? > > > > Al > > > > On 5/15/06, Joe Lagreca <[EMAIL PROTECTED]> wrote: > > > Is there a way to force users to logon to domain, or to disable > > > loging > into > > > local computer accounts via GPO? > > > > > > Thanks. > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ********************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
