Click here to get back home

what do I do?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
what do I do? timj 03-24-2007
---> Re: what do I do? Roger Abell [MV...03-24-2007
Get Chitika Premium
Posted by timj on March 24, 2007, 3:10 pm
Please log in for more thread options
 Hi,

I work for a School Board and lately we have found that the kids can by pass
the GPO's. They put their login id and password in then ok, to login. Once
the login process starts they unplug the ethernet cable, they get a few
errors about their profile but now have full access to their local pc.

Is there a way to stop it?

We use Windows 2000 server and Windows 2003 server.

Thanks

T.



Posted by Roger Abell [MVP] on March 24, 2007, 9:28 pm
Please log in for more thread options
> Hi,
>
> I work for a School Board and lately we have found that the kids can by
> pass the GPO's. They put their login id and password in then ok, to
> login. Once the login process starts they unplug the ethernet cable, they
> get a few errors about their profile but now have full access to their
> local pc.
>
> Is there a way to stop it?
>
> We use Windows 2000 server and Windows 2003 server.
>
> Thanks
>
> T.

There are a few tricks, like a login script that checks
for a mapped drive (such as to sysvol ?) and if it does
not exist does a logoff, if it does disconnects the share.
There is a group policy setting that requires background
application of policy to be disallowed (i.e. require that
policy is processed synchronously).
One could disable local caching of past logins (set the
number of logins cached to 0)




Posted by TimJ on March 26, 2007, 3:15 pm
Please log in for more thread options
>
>> Hi,
>>
>> I work for a School Board and lately we have found that the kids can by
>> pass the GPO's. They put their login id and password in then ok, to
>> login. Once the login process starts they unplug the ethernet cable, they
>> get a few errors about their profile but now have full access to their
>> local pc.
>>
>> Is there a way to stop it?
>>
>> We use Windows 2000 server and Windows 2003 server.
>>
>> Thanks
>>
>> T.
>
>There are a few tricks, like a login script that checks
>for a mapped drive (such as to sysvol ?) and if it does
>not exist does a logoff, if it does disconnects the share.
>There is a group policy setting that requires background
>application of policy to be disallowed (i.e. require that
>policy is processed synchronously).
>One could disable local caching of past logins (set the
>number of logins cached to 0)
>
>
>

Hi,

I like your idea about the scripts do you have a sample I could look
at. Our users home directory is set to H: so I guess I could use that mapped
drive.

Thanks

T

Posted by TimJ on March 26, 2007, 3:16 pm
Please log in for more thread options
>
>> Hi,
>>
>> I work for a School Board and lately we have found that the kids can by
>> pass the GPO's. They put their login id and password in then ok, to
>> login. Once the login process starts they unplug the ethernet cable, they
>> get a few errors about their profile but now have full access to their
>> local pc.
>>
>> Is there a way to stop it?
>>
>> We use Windows 2000 server and Windows 2003 server.
>>
>> Thanks
>>
>> T.
>
>There are a few tricks, like a login script that checks
>for a mapped drive (such as to sysvol ?) and if it does
>not exist does a logoff, if it does disconnects the share.
>There is a group policy setting that requires background
>application of policy to be disallowed (i.e. require that
>policy is processed synchronously).
>One could disable local caching of past logins (set the
>number of logins cached to 0)
>
>
>

Hi,

I like your idea about the scripts do you have a sample I could look
at. Our users home directory is set to H: so I guess I could use that mapped
drive.

Thanks

T

Posted by TimJ on March 26, 2007, 3:17 pm
Please log in for more thread options
>
>> Hi,
>>
>> I work for a School Board and lately we have found that the kids can by
>> pass the GPO's. They put their login id and password in then ok, to
>> login. Once the login process starts they unplug the ethernet cable, they
>> get a few errors about their profile but now have full access to their
>> local pc.
>>
>> Is there a way to stop it?
>>
>> We use Windows 2000 server and Windows 2003 server.
>>
>> Thanks
>>
>> T.
>
>There are a few tricks, like a login script that checks
>for a mapped drive (such as to sysvol ?) and if it does
>not exist does a logoff, if it does disconnects the share.
>There is a group policy setting that requires background
>application of policy to be disallowed (i.e. require that
>policy is processed synchronously).
>One could disable local caching of past logins (set the
>number of logins cached to 0)
>
>
>

Hi,

I like your idea about the scripts do you have a sample I could look
at. Our users home directory is set to H: so I guess I could use that mapped
drive.

Thanks

T


Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap