subject:"\[ActiveDir\] Is there a way to force users to logon to domain\?"

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-24 Thread Kamlesh Parmar

If you still want to set it via GPO...

set allow logon locally to Administrators , domain\domain users
This will ensure that, local accounts doesn't get right to logon, unless they are member of Administrators group
-- 
Kamlesh~Be the change you want to see in the World~

On 5/16/06, Joe Lagreca [EMAIL PROTECTED] wrote:
Sergio,That is the approach we are going to take.Write a script to run atstart up to delete all local accounts, except administrator, which
only we should know the password for.Do you have any ideas on how to change local account passwords via GPOor remotely?We would like to change the administrator passwordsinitially, and probably like to change it on a continual basis.
Thank you.JoeOn 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS[EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon
 locally setting, that's my bad.I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto:
[EMAIL PROTECTED]] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?
 Al and others, We are retrofitting previously deployed workstations.Some have local logins, while others do not.I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving
 them the option to log into their local machine. I have been told that In a GPO set the cached logon setting to 0 and make sure allow logon locally is only set to Admins. will not
 work.However I still need to test this myself.I was told allow logon locally will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain.
 I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick 
[EMAIL PROTECTED] wrote:  I think you've seen several ways of achieving something similar to  what you've asked for.But I'm curious as to what you really want to  accomplish.You've put something very specific, but what makes you
  want to force the logon?What's the backstory?   Al   On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:   Is there a way to force users to logon to domain, or to disable loging
 into   local computer accounts via GPO? Thanks.List info : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~Be the change you want to see in the World~

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-18 Thread Sudhir Kaushal


Return Receipt
   
Your  RE: [ActiveDir] Is there a way to force users to logon to
document  domain?  
:  
   
was   Sudhir Kaushal/GIS/CSC   
received   
by:
   
at:   05/18/2006 11:03:46 AM GDT   
   




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-17 Thread nelson yong

Return Receipt


Your document:
RE: [ActiveDir] Is there a way to force users to logon to domain?


was received by:
nelson yong/IT/KSL


at:
17/05/2006 02:25:29 PM

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-17 Thread Dave Wade

Providing you have up to date scripting engines loaded you can encrypt
the script to keep casual eyes away:-

http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4
873-B1B0-21F0626A6329displaylang=en 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin
Sent: 16 May 2006 17:57
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to
domain?

You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to Domain Computers and relevant IT Admin staff.

The script works even if the local Admin account name has been changed.

I don't recall where I got the original copy of the script.

Devin


=
Option Explicit

Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser

On Error Resume Next

Set objShell = WScript.CreateObject(WScript.Shell)
Set objNet = CreateObject(WScript.Network)

sNewPassword = PutSomeReallyLongPasswordHere

sComputer = objNet.ComputerName
sAdminName = GetAdministratorName

Set oUser = GetObject(WinNT://  sComputer  /  sAdminName 
,user)
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0

objShell.LogEvent 4, LP startup script LP04 run record.

'===
===
' Get Admin Account Name
'===
===

Function GetAdministratorName()
Dim sUserSID, objNet, oUserAccount
Set objNet = CreateObject(WScript.Network)
Set oUserAccounts = GetObject( _
 winmgmts://  objNet.ComputerName  /root/cimv2) _
 .ExecQuery(Select Name, SID from Win32_UserAccount _
 WHERE Domain = '  objNet.ComputerName  ')

On Error Resume Next
For Each oUserAccount In oUserAccounts
  If Left(oUserAccount.SID, 9) = S-1-5-21- And _
 Right(oUserAccount.SID, 4) = -500 Then
GetAdministratorName = oUserAccount.Name
Exit For
  End if
Next
End Function


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow 
 logon locally setting, that's my bad.  I guess best thing to do would

 be delete all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local

 logins, while others do not.  I was just wondering if there is a way, 
 via GPO, to force all users to log into the domain, instead of giving 
 them the option to log into their local machine.

 I have been told that In a GPO set the cached logon setting to 0
 and make sure allow logon locally is only set to Admins. will not 
 work.  However I still need to test this myself.  I was told allow 
 logon locally will make it so all unlisted users will not be able to 
 login from that workstation, whether its locally or to the domain.

 I realize their profiles wouldn't copy, and we can deal with that 
 afterwards.

 Thanks.

 Joe


 On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think you've seen several ways of achieving something similar to 
  what you've asked for.  But I'm curious as to what you really want 
  to accomplish.  You've put something very specific, but what makes 
  you want to force the logon?  What's the backstory?
 
  Al
 
  On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
   Is there a way to force users to logon to domain, or to disable 
   loging
 into
   local computer accounts via GPO?
  
   Thanks.
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-17 Thread ASB

You can change them remotely.

http://www.ultratech-llc.com/KB/?File=Passwords.TXT

Changing them via GPO simply means that the password will have to reside locally on the system, and there's no reason for that...

-ASB
On 5/16/06, Joe Lagreca [EMAIL PROTECTED] wrote:
Sergio,That is the approach we are going to take.Write a script to run atstart up to delete all local accounts, except administrator, which
only we should know the password for.Do you have any ideas on how to change local account passwords via GPOor remotely?We would like to change the administrator passwordsinitially, and probably like to change it on a continual basis.
Thank you.JoeOn 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS[EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon
locally setting, that's my bad.I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto:
[EMAIL PROTECTED]] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?
Al and others, We are retrofitting previously deployed workstations.Some have local logins, while others do not.I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving
them the option to log into their local machine. I have been told that In a GPO set the cached logon setting to 0 and make sure allow logon locally is only set to Admins. will not
work.However I still need to test this myself.I was told allow logon locally will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain.
I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick
[EMAIL PROTECTED] wrote: I think you've seen several ways of achieving something similar to what you've asked for.But I'm curious as to what you really want to accomplish.You've put something very specific, but what makes you
want to force the logon?What's the backstory? Al On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote: Is there a way to force users to logon to domain, or to disable loging
into local computer accounts via GPO? Thanks.

[OT] RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-17 Thread Al Mulnick



Have you not figured it out yet joe? I'm tormenting you ;)

not really - this is really friggin' annoying actually

The reason I haven't gone back to hotmail is that it's extremely annoying to try and read threads. Gmail is great for that vs. hotmail which can't cope. To date, I must be the only person giving that feedback to the live mail folks :) Oh, that and Dean's emails always end up in the inbox circumventing any rules I might set up to the contrary. 

Interesting that plain-text has to be mime-encoded. Not sure why the messages to the list are causing issues vs. any other messages sent/received. I've searched GMAIL archives for a client side fix. My choices are to very limited (rich-text vs. plain-text pretty much sum it up.)

Since we know that the data is there for some UA's, we can surmise that problem is client side due to something server-side being done unexpectedly. Bugs everywhere when you boil it down. Still, that precludes people from benefitting from my wit, charm, and other positive attributes. 

I'll see what I can do on my end. 

In the meantime, send an email to Windows Live Mail folks asking for better thread viewing of messages. If they did, we'd only have to worry about performance of the web interface...

Al


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is there a way to force users to logon to domain?Date: Mon, 15 May 2006 17:42:19 -0400

Crap, more blank emails from Al. Al, use hotmail or something. ;)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, May 15, 2006 4:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-17 Thread Al Mulnick



Not that I can read these easily, but...

What occurs to me is that you want the users to start using the domain logon only. If you set the cache to 0, as you likely reasoned out already, the user would have to be always connected. That's not good in an increasingly mobile clientele. 

"Force" might be too strong a tactic. I think the better term here is "entice" the user to logon to the domain. "Coerce" might also be relevant. The easiest answer is to use policy and ease-of-use your way forward. Certainly you want to reduce the amount of logon locally by removing administrator access. That won't do a lot of good if the user is a local administrator. They could just do what they want anyway in that case. If you remove the administrative access, that's well and good, but there are drawbacks to that especially for mobile workers. Can be a PITA. 

Making it desirable to logon via the domain is a low-stress way to get the users better trained and overall happier. Make it easier to logon to applications such as email, im, portal, etc if they also logon via AD. Have a password change policy (layer-8 policy reinforced with technical policy)that discourages using local logons and saving passwords if not prevents saving passwords locally. 

Will you get 100% compliance from day 1? Not likely. Will you get 80-90%? More likely if you craft this policy and deployment well. You'll have some stragglers to deal with later, but you'll spend a lot less effort with much better results if you take the low-impact way up front. 

Unless you have some other driving need to get to 100% compliance? If that's the case, then you'll have totake moredrastic measures and break a few eggs while you make this omlete. 

Al


Date: Wed, 17 May 2006 05:35:42 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way to force users to logon to domain?
You can change them remotely.

http://www.ultratech-llc.com/KB/?File=Passwords.TXT

Changing them via GPO simply means that the password will have to reside locally on the system, and there's no reason for that...

-ASB
On 5/16/06, Joe Lagreca [EMAIL PROTECTED] wrote: 
Sergio,That is the approach we are going to take.Write a script to run atstart up to delete all local accounts, except administrator, which only we should know the password for.Do you have any ideas on how to change local account passwords via GPOor remotely?We would like to change the administrator passwordsinitially, and probably like to change it on a continual basis. Thank you.JoeOn 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS[EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the "allow logon  locally" setting, that's my bad.I guess best thing to do would be delete all existing local user accounts. -Sergio -Original Message- From: Joe Lagreca [mailto: [EMAIL PROTECTED]] Sent: Monday, May 15, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?  Al and others, We are retrofitting previously deployed workstations.Some have local logins, while others do not.I was just wondering if there is a way, via GPO, to force all users to log into the domain, instead of giving  them the option to log into their local machine. I have been told that "In a GPO set the cached logon setting to "0" and make sure "allow logon locally" is only set to Admins." will not  work.However I still need to test this myself.I was told "allow logon locally" will make it so all unlisted users will not be able to login from that workstation, whether its locally or to the domain.  I realize their profiles wouldn't copy, and we can deal with that afterwards. Thanks. Joe On 5/15/06, Al Mulnick  [EMAIL PROTECTED] wrote:  I think you've seen several ways of achieving something similar to  what you've asked for.But I'm curious as to what you really want to  accomplish.You've put something very specific, but what makes you   want to force the logon?What's the backstory?   Al   On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:   Is there a way to force users to logon to domain, or to disable loging  into   local computer accounts via GPO? Thanks.

RE: [OT] RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-17 Thread joe




Dean marks his messages 
special so you have to pay attention to them. 

What's this windows live stuff? ;)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Wednesday, May 17, 2006 8:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: [OT] RE: [ActiveDir] Is there a 
way to force users to logon to domain?
Have you not figured it out yet joe? I'm tormenting you 
;)not really - this is really friggin' annoying 
actuallyThe reason I haven't gone back to hotmail is that it's 
extremely annoying to try and read threads. Gmail is great for that vs. 
hotmail which can't cope. To date, I must be the only person giving that 
feedback to the live mail folks :) Oh, that and Dean's emails always end 
up in the inbox circumventing any rules I might set up to the contrary. 
Interesting that plain-text has to be mime-encoded. Not sure 
why the messages to the list are causing issues vs. any other messages 
sent/received. I've searched GMAIL archives for a client side fix. 
My choices are to very limited (rich-text vs. plain-text pretty much sum it 
up.)Since we know that the data is there for some UA's, we can 
surmise that problem is client side due to something server-side being done 
unexpectedly. Bugs everywhere when you boil it down. Still, that precludes 
people from benefitting from my wit, charm, and other positive attributes. 
I'll see what I can do on my end. In the meantime, 
send an email to Windows Live Mail folks asking for better thread viewing of 
messages. If they did, we'd only have to worry about performance of the 
web interface...Al

  
  From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Is there a way to force users to logon to domain?Date: Mon, 15 
  May 2006 17:42:19 -0400
  
  Crap, more blank emails from Al. Al, use hotmail or something. 
  ;)
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 15, 2006 4:38 PMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way 
  to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread Olivarez, Sergio J Mr CTNOSC/GD-NS

Yeah, disregard what I said about just leaving Admins on the allow logon
locally setting, that's my bad.  I guess best thing to do would be delete
all existing local user accounts.

-Sergio 
-Original Message-
From: Joe Lagreca [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 15, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

Al and others,

We are retrofitting previously deployed workstations.  Some have local
logins, while others do not.  I was just wondering if there is a way,
via GPO, to force all users to log into the domain, instead of giving
them the option to log into their local machine.

I have been told that In a GPO set the cached logon setting to 0
and make sure allow logon locally is only set to Admins. will not
work.  However I still need to test this myself.  I was told allow
logon locally will make it so all unlisted users will not be able to
login from that workstation, whether its locally or to the domain.

I realize their profiles wouldn't copy, and we can deal with that
afterwards.

Thanks.

Joe

On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
 I think you've seen several ways of achieving something similar to
 what you've asked for.  But I'm curious as to what you really want to
 accomplish.  You've put something very specific, but what makes you
 want to force the logon?  What's the backstory?

 Al

 On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
  Is there a way to force users to logon to domain, or to disable loging
into
  local computer accounts via GPO?

  Thanks.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread AdamT


On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:

Yeah, disregard what I said about just leaving Admins on the allow logon
locally setting, that's my bad.  I guess best thing to do would be delete
all existing local user accounts.


Can you actually delete localhost\administrator on NT4/2K/XP workstations?

--
AdamT
A casual stroll through the lunatic asylum shows that faith does not
prove anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread Joe Lagreca


Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which
only we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:

Yeah, disregard what I said about just leaving Admins on the allow logon
locally setting, that's my bad.  I guess best thing to do would be delete
all existing local user accounts.

-Sergio
-Original Message-
From: Joe Lagreca [mailto:[EMAIL PROTECTED]
Sent: Monday, May 15, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

Al and others,

We are retrofitting previously deployed workstations.  Some have local
logins, while others do not.  I was just wondering if there is a way,
via GPO, to force all users to log into the domain, instead of giving
them the option to log into their local machine.

I have been told that In a GPO set the cached logon setting to 0
and make sure allow logon locally is only set to Admins. will not
work.  However I still need to test this myself.  I was told allow
logon locally will make it so all unlisted users will not be able to
login from that workstation, whether its locally or to the domain.

I realize their profiles wouldn't copy, and we can deal with that
afterwards.

Thanks.

Joe


On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
 I think you've seen several ways of achieving something similar to
 what you've asked for.  But I'm curious as to what you really want to
 accomplish.  You've put something very specific, but what makes you
 want to force the logon?  What's the backstory?

 Al

 On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
  Is there a way to force users to logon to domain, or to disable loging
into
  local computer accounts via GPO?
 
  Thanks.
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread Freddy HARTONO

Even if that is possible by any means - what are you going to do if the
computer falls out of the domain.


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Tuesday, May 16, 2006 11:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow 
 logon locally setting, that's my bad.  I guess best thing to do would 
 be delete all existing local user accounts.

Can you actually delete localhost\administrator on NT4/2K/XP workstations?

--
AdamT
A casual stroll through the lunatic asylum shows that faith does not prove
anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread Robert Rutherford

No, and I always find it a relief to have a local admin account in a
failure situation.

 
 
Robert Rutherford
QuoStar Solutions Limited

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: 16 May 2006 16:26
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow
logon
 locally setting, that's my bad.  I guess best thing to do would be
delete
 all existing local user accounts.

Can you actually delete localhost\administrator on NT4/2K/XP
workstations?

-- 
AdamT
A casual stroll through the lunatic asylum shows that faith does not
prove anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread Olivarez, Sergio J Mr CTNOSC/GD-NS

Yeah make sure you leave all administrative accounts alone and disable the
guest account. 

As for changing the password, you can always connect to it remotely via
Computer management (compmgmt.msc) or script it.   

-Sergio
 

-Original Message-
From: Joe Lagreca [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which
only we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow logon
 locally setting, that's my bad.  I guess best thing to do would be delete
 all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local
 logins, while others do not.  I was just wondering if there is a way,
 via GPO, to force all users to log into the domain, instead of giving
 them the option to log into their local machine.

 I have been told that In a GPO set the cached logon setting to 0
 and make sure allow logon locally is only set to Admins. will not
 work.  However I still need to test this myself.  I was told allow
 logon locally will make it so all unlisted users will not be able to
 login from that workstation, whether its locally or to the domain.

 I realize their profiles wouldn't copy, and we can deal with that
 afterwards.

 Thanks.

 Joe


 On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think you've seen several ways of achieving something similar to
  what you've asked for.  But I'm curious as to what you really want to
  accomplish.  You've put something very specific, but what makes you
  want to force the logon?  What's the backstory?
 
  Al
 
  On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
   Is there a way to force users to logon to domain, or to disable loging
 into
   local computer accounts via GPO?
  
   Thanks.
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread Za Vue





I have over 100 randomly generated local admin passwords. If I forget
the password and the account gets corrupted in AD than I just hack the
local admin password. No one logs on locally period!

-Z.V.


Robert Rutherford wrote:

  No, and I always find it a relief to have a local admin account in a
failure situation.

 
 
Robert Rutherford
QuoStar Solutions Limited

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of AdamT
Sent: 16 May 2006 16:26
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
  
  
Yeah, disregard what I said about just leaving Admins on the "allow

  
  logon
  
  
locally" setting, that's my bad.  I guess best thing to do would be

  
  delete
  
  
all existing local user accounts.


  
  Can you actually delete localhost\administrator on NT4/2K/XP
workstations?

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread Dave Wade

You can set the password in the startup script, but it's a bit open to
hacking. You can use an encrypted VB Script but those are pretty easy to
decrypt. There is also a tool around that will let you do it remotely.
You could also assign the logon locally rights to say domain users 
administrator.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: 16 May 2006 16:31
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow 
 logon locally setting, that's my bad.  I guess best thing to do would

 be delete all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local

 logins, while others do not.  I was just wondering if there is a way, 
 via GPO, to force all users to log into the domain, instead of giving 
 them the option to log into their local machine.

 I have been told that In a GPO set the cached logon setting to 0
 and make sure allow logon locally is only set to Admins. will not 
 work.  However I still need to test this myself.  I was told allow 
 logon locally will make it so all unlisted users will not be able to 
 login from that workstation, whether its locally or to the domain.

 I realize their profiles wouldn't copy, and we can deal with that 
 afterwards.

 Thanks.

 Joe


 On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think you've seen several ways of achieving something similar to 
  what you've asked for.  But I'm curious as to what you really want 
  to accomplish.  You've put something very specific, but what makes 
  you want to force the logon?  What's the backstory?
 
  Al
 
  On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
   Is there a way to force users to logon to domain, or to disable 
   loging
 into
   local computer accounts via GPO?
  
   Thanks.
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread Riley, Devin

You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to Domain Computers and relevant IT Admin staff.

The script works even if the local Admin account name has been changed.

I don't recall where I got the original copy of the script.

Devin


=
Option Explicit

Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser

On Error Resume Next

Set objShell = WScript.CreateObject(WScript.Shell)
Set objNet = CreateObject(WScript.Network)

sNewPassword = PutSomeReallyLongPasswordHere

sComputer = objNet.ComputerName
sAdminName = GetAdministratorName

Set oUser = GetObject(WinNT://  sComputer  /  sAdminName 
,user)
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0

objShell.LogEvent 4, LP startup script LP04 run record.

'===
===
' Get Admin Account Name
'===
===

Function GetAdministratorName()
Dim sUserSID, objNet, oUserAccount
Set objNet = CreateObject(WScript.Network)
Set oUserAccounts = GetObject( _
 winmgmts://  objNet.ComputerName  /root/cimv2) _
 .ExecQuery(Select Name, SID from Win32_UserAccount _
 WHERE Domain = '  objNet.ComputerName  ')

On Error Resume Next
For Each oUserAccount In oUserAccounts
  If Left(oUserAccount.SID, 9) = S-1-5-21- And _
 Right(oUserAccount.SID, 4) = -500 Then
GetAdministratorName = oUserAccount.Name
Exit For
  End if
Next
End Function


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow 
 logon locally setting, that's my bad.  I guess best thing to do would

 be delete all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local

 logins, while others do not.  I was just wondering if there is a way, 
 via GPO, to force all users to log into the domain, instead of giving 
 them the option to log into their local machine.

 I have been told that In a GPO set the cached logon setting to 0
 and make sure allow logon locally is only set to Admins. will not 
 work.  However I still need to test this myself.  I was told allow 
 logon locally will make it so all unlisted users will not be able to 
 login from that workstation, whether its locally or to the domain.

 I realize their profiles wouldn't copy, and we can deal with that 
 afterwards.

 Thanks.

 Joe


 On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think you've seen several ways of achieving something similar to 
  what you've asked for.  But I'm curious as to what you really want 
  to accomplish.  You've put something very specific, but what makes 
  you want to force the logon?  What's the backstory?
 
  Al
 
  On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
   Is there a way to force users to logon to domain, or to disable 
   loging
 into
   local computer accounts via GPO?
  
   Thanks.
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread Mark Parris

You could give everyone a domain controller?

Seriously though, we have a custom application that sits on the client and when 
it joins the domain, it generates a random 16 character password which it 
writes to a SQL database. From then on the sql database owns the computer, if 
you need to regenerate a new password just push the button on a web front end 
and it resets it and writes it to the database.


Mark
-Original Message-
From: Dave Wade [EMAIL PROTECTED]
Date: Tue, 16 May 2006 17:28:29 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to domain?

You can set the password in the startup script, but it's a bit open to
hacking. You can use an encrypted VB Script but those are pretty easy to
decrypt. There is also a tool around that will let you do it remotely.
You could also assign the logon locally rights to say domain users 
administrator.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: 16 May 2006 16:31
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow 
 logon locally setting, that's my bad.  I guess best thing to do would

 be delete all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local

 logins, while others do not.  I was just wondering if there is a way, 
 via GPO, to force all users to log into the domain, instead of giving 
 them the option to log into their local machine.

 I have been told that In a GPO set the cached logon setting to 0
 and make sure allow logon locally is only set to Admins. will not 
 work.  However I still need to test this myself.  I was told allow 
 logon locally will make it so all unlisted users will not be able to 
 login from that workstation, whether its locally or to the domain.

 I realize their profiles wouldn't copy, and we can deal with that 
 afterwards.

 Thanks.

 Joe


 On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think you've seen several ways of achieving something similar to 
  what you've asked for.  But I'm curious as to what you really want 
  to accomplish.  You've put something very specific, but what makes 
  you want to force the logon?  What's the backstory?
 
  Al
 
  On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
   Is there a way to force users to logon to domain, or to disable 
   loging
 into
   local computer accounts via GPO?
  
   Thanks.
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-16 Thread deji

I got converted. I used to be a strong proponent of setting a common password
for the local admin account on all clients. The logic is that it enables
helpdesk people to log into desktops easily for support tasks. I used to
hardcode the passwords into a login script, and I used to justify the
security implication by saying that whoever can read the hardcoded password
knows too much already.
 
So, I got converted. Now, I set the password randomly to something long and
obnoxious that nobody knows. The password is generated on the fly and not
written anywhere. If a helpdesk support person needs to log into a client
computer as local admin, the passwords first reset remotely, and a flag
file is deleted from the computer. The absence  of the flag file will force
the computer to process the password generating script again upon a reboot.
 
If the password can not be reset remotely, there is a WinPE rescue disk, or
BartPE or Sysinternal's locksmith.
 
The point of all of this is that you do not HAVE to hardcode passwords into
your startup scripts.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Riley, Devin
Sent: Tue 5/16/2006 9:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to domain?



You can use the following script as a startup script to change the local
Admin password. There is an obvious security issue with this, since you
will be storing the script in a Sysvol share for machines to read. You
can prevent users from browsing to and opening the file by restricting
access to Domain Computers and relevant IT Admin staff.

The script works even if the local Admin account name has been changed.

I don't recall where I got the original copy of the script.

Devin


=
Option Explicit

Dim objShell, objNet, sNewPassword, sComputer, sAdminName, oUserAccounts
Dim oUser

On Error Resume Next

Set objShell = WScript.CreateObject(WScript.Shell)
Set objNet = CreateObject(WScript.Network)

sNewPassword = PutSomeReallyLongPasswordHere

sComputer = objNet.ComputerName
sAdminName = GetAdministratorName

Set oUser = GetObject(WinNT://  sComputer  /  sAdminName 
,user)
oUser.SetPassword sNewPassword
oUser.SetInfo
On Error Goto 0

objShell.LogEvent 4, LP startup script LP04 run record.

'===
===
' Get Admin Account Name
'===
===

Function GetAdministratorName()
Dim sUserSID, objNet, oUserAccount
Set objNet = CreateObject(WScript.Network)
Set oUserAccounts = GetObject( _
 winmgmts://  objNet.ComputerName  /root/cimv2) _
 .ExecQuery(Select Name, SID from Win32_UserAccount _
 WHERE Domain = '  objNet.ComputerName  ')

On Error Resume Next
For Each oUserAccount In oUserAccounts
  If Left(oUserAccount.SID, 9) = S-1-5-21- And _
 Right(oUserAccount.SID, 4) = -500 Then
GetAdministratorName = oUserAccount.Name
Exit For
  End if
Next
End Function


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: Tuesday, May 16, 2006 8:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

Sergio,

That is the approach we are going to take.  Write a script to run at
start up to delete all local accounts, except administrator, which only
we should know the password for.

Do you have any ideas on how to change local account passwords via GPO
or remotely?  We would like to change the administrator passwords
initially, and probably like to change it on a continual basis.

Thank you.

Joe


On 5/16/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow
 logon locally setting, that's my bad.  I guess best thing to do would

 be delete all existing local user accounts.

 -Sergio
 -Original Message-
 From: Joe Lagreca [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 15, 2006 7:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

 Al and others,

 We are retrofitting previously deployed workstations.  Some have local

 logins, while others do not.  I was just wondering if there is a way,
 via GPO, to force all users to log into the domain, instead of giving
 them the option to log

[ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Joe Lagreca

Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks.

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Za Vue


Don't create local accounts.
-Z.V.

Joe Lagreca wrote:
Is there a way to force users to logon to domain, or to disable loging 
into local computer accounts via GPO? 

Thanks. 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Olivarez, Sergio J Mr CTNOSC/GD-NS









In a GPO set the
cached logon setting to 0 and make sure allow logon
locally is only set to Admins. 





-Sergio











From: Joe Lagreca
[mailto:[EMAIL PROTECTED] 
Sent: Monday, May 15, 2006 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is there a
way to force users to logon to domain?





Is there a way to force users to logon to domain, or to disable loging
into local computer accounts via GPO? 

Thanks.

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Robert Rutherford









Be restrictive on the use of local
accounts and dont give them passwords is the cleanest way.








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: 15 May 2006 16:57
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is there a
way to force users to logon to domain?





Is there a way to force users to logon to domain, or to disable loging
into local computer accounts via GPO? 

Thanks.

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Al Mulnick


I think you've seen several ways of achieving something similar to
what you've asked for.  But I'm curious as to what you really want to
accomplish.  You've put something very specific, but what makes you
want to force the logon?  What's the backstory?

Al

On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:

Is there a way to force users to logon to domain, or to disable loging into
local computer accounts via GPO?

Thanks.

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread joe




Crap, more blank emails from Al. Al, use hotmail or 
something. ;)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Monday, May 15, 2006 4:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Is there a way 
to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Tony Murray









I have a rule that auto-deletes Als emails as a matter of
course. J



I can confirm what others have said  that the emails are visible
in Outlook 2007. Still checking to see if there is a way to resolve
this on the list server side, but havent found anything yet.



Tony











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, 16 May 2006 9:42 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is there a way to force users to logon to
domain?





Crap,
more blank emails from Al. Al, use hotmail or something. ;)







--

O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, May 15, 2006 4:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Mine wasn't blank...there is however a funky code down therebut it's 
not blank...


Al Mulnick wrote:


I think you've seen several ways of achieving something similar to
what you've asked for.  But I'm curious as to what you really want to
accomplish.  You've put something very specific, but what makes you
want to force the logon?  What's the backstory?

Al

On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:

Is there a way to force users to logon to domain, or to disable 
loging into

local computer accounts via GPO?

Thanks.

[EMAIL PROTECTED]
��V�r�y��-��4���i�b��b���/===



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Ulf B. Simon-Weidner




What 
about the origin - are they created using OL2k7? If so must be a new bug - I was 
using a bit older version for quite a while (and everything was readable), but 
it almost corupted my mailstore - so I switched temporarily 
back.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tony 
  MurraySent: Tuesday, May 16, 2006 12:10 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is there a way 
  to force users to logon to domain?
  
  
  I have a rule that 
  auto-deletes Als emails as a matter of course. J
  
  I can confirm what 
  others have said  that the emails are visible in Outlook 2007. 
  Still checking to see if there is a way to resolve this on the list server 
  side, but havent found anything yet.
  
  Tony
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Tuesday, 16 May 2006 9:42 
  a.m.To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Is there a way to force users to logon to 
  domain?
  
  Crap, more blank 
  emails from Al. Al, use hotmail or something. ;)
  
  
  --
  O'Reilly Active 
  Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al MulnickSent: Monday, May 15, 2006 4:38 
  PMTo: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Is there a way to force users to logon to 
  domain?
  This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

Re: [ActiveDir] Is there a way to force users to logon to domain?

2006-05-15 Thread Joe Lagreca


Al and others,

We are retrofitting previously deployed workstations.  Some have local
logins, while others do not.  I was just wondering if there is a way,
via GPO, to force all users to log into the domain, instead of giving
them the option to log into their local machine.

I have been told that In a GPO set the cached logon setting to 0
and make sure allow logon locally is only set to Admins. will not
work.  However I still need to test this myself.  I was told allow
logon locally will make it so all unlisted users will not be able to
login from that workstation, whether its locally or to the domain.

I realize their profiles wouldn't copy, and we can deal with that afterwards.

Thanks.

Joe


On 5/15/06, Al Mulnick [EMAIL PROTECTED] wrote:

I think you've seen several ways of achieving something similar to
what you've asked for.  But I'm curious as to what you really want to
accomplish.  You've put something very specific, but what makes you
want to force the logon?  What's the backstory?

Al

On 5/15/06, Joe Lagreca [EMAIL PROTECTED] wrote:
 Is there a way to force users to logon to domain, or to disable loging into
 local computer accounts via GPO?

 Thanks.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

[OT] RE: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

RE: [OT] RE: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

[ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

RE: [ActiveDir] Is there a way to force users to logon to domain?

Re: [ActiveDir] Is there a way to force users to logon to domain?

29 matches

Site Navigation

Mail list logo

Footer information