Question : Force Domain Logon

My problem is this. I have several " old school " domain users that refuse to logon to the network. Instead, they choose to logon to their local machine with accounts they've created and then access network shares and email with their domain credentials. I want to force them to logon to the domain before they can access any of shares on the network. The catch is this. Several of these people are laptop users who travel with their PC's so I don't want any policy or registery hacks I impliment to prevent them from logging on to their machines while they travel. I've considered a " Deny logon locally policy " but I'm afraid this will prevent the laptop users from accessing their machines while on the road.

Answer : Force Domain Logon

Hmmmm...Just had a thought..

You can't apply the "deny logon locally policy" at the domain level since it would restrict your domain users from logging into the computer itself.

But what if...

You set the "deny logon locally policy" locally and "filtered" out the user's domain account and your domain account. Then if the person tried to use a local account, they wouldn't be able to log on.....

Now I think this would work...but it might not because there may be some conflicting issue since the user is a member of the local admin group....just have to try and see..

NOW....if you did it this way and it would work the way I think, it would also restrict the local admin account....so that's why I said filter your account as well or you would have to remotely connect to the computer to change the policy back to allow yourself the ability to logon.

ALSO, depending on how smart your users are....as an admin, they could go into the local policy themselves and change it...so you would need to essentially set a domain policy (couldnt' do it locally since you would have filtered there domain account out) to prevent them from accessing the local policy (I think this can be done in this way).

I'm thinking outside of the box here since it is virtually impossible to restrict someone when they have local admin rights because it is so easy for them to find ways around everything you do....so this may not work and I may have overlooked a very obvious reason why it won't....and it would also be a pain for you to flip flop things whenever you needed local access. But just trying to think of anything at all you can do....its an attempt atleast :)

Here is how to filter local policy:
http://www.jsiinc.com/sube/tip2400/rh2492.htm

Random Solutions

I need help regarding SAN/NAS Configuration.

How to block income phone call on avaya IP office?

Network Printing Problem (2 printers for 1 print device)

email excel sheet as attachment using Sendmail

Buying SIP phones for Trixbox phone systems.

How to measure bandwidth using wireshark?

The COM+ Event System detected a bad return code during its internal processing

how mapping between different protocols occur?

Speedstream 5100 ADSL modem

X-Win32 troubles