RE: Log on the domain

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: J.S [mailto:mwharbi () hotmail com]
> To: security-basics () securityfocus com
>
> How can we enforce the users log on to domain? I mean: Users 
> can not access
> computer using admin or any other account, must log on the domain
> controller. Is there any policy to do that?

  I've always interpreted the "Log on locally" policy as determining
whether a given user account can be used from the "console" keyboard
and monitor; i.e., an account without this right can only be used to
access the machine remotely.  I may have misunderstood that, since
multiple people seem to think it's what you want.

  I don't think there is a way to lock out all local access.  But 
with Windows 2000 policies, you *can* prevent them from accessing any
network resources that are part of your domain structure.  Is that 
good enough?

  (With NT domains, they can have access if their local account name 
and password matches a domain account and password that has access.)

David Gillett



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------