Through group policy, you can forbid logon without DC authentication.
Under Security in GP "Number of previous logons to cache" Change this to
0.
*****word of warning though,
if you have any laptop users, you will run into a rather big problem.
They will not be able to use their system off the network.
Another option if forcing a group policy refresh. The normal operation
is that every 90-120 minutes GP refreshes, but only if the version
number has changed (you've made a policy change). You can force GP to
refresh every X minutes regardless. Under GP go to --- Computer
Configuration --> Administrative Templates --> System --> Group Policy,
and configure it there.
Good Luck!
-----Original Message-----
From: Manuel Sousa [mailto:manuel.sousa@gmail.com]
Sent: Thursday, January 27, 2005 7:58 AM
To: focus-ms@securityfocus.com
Subject: Domain logon without network connection + group policies
Hi,
I've realized that it's possible to logon to a domain without a network
connection and bypass the group policies.
This provides false security when deploying policies that restrict user
permissions, so my question is:
1. Is it possible to forbid logon if the workstation can't connect to
the Domain Controller; 2. Or is it possible to have a cache of the group
policies so that if the workstation doesn't have network, it uses the
last policies?
One workaround is deploying the policies as local ones, but that removes
the flexibility of deploying / changing the policies from the domain, so
i'm open for other suggestions.
Thanks in advance,
Manuel Sousa
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
