Alright,

Here is my problem. I'm running a Windows NT 4 PDC, and have a domain
setup. For referance we will call it DOMAIN.

Here is an example of my problem:
USERNAME logs into the Windows XP machine on DOMAIN, and receives all
login scripts, policies, etc. USERNAME logs off.

The next day, USERNAME logs into the Windows XP machine on DOMAIN
(however the network link is actually down), this user does not
recieve any login scripts, policies, etc. USERNAME logs off.

How was this user able to log in? The XP machine did not check
against the PDC, or BDC because it was actually off of the network.
However the user is able to still log into the domain. If you plug
back the cable into the machine, all network access is granted, but of
course the script is still not executed. How can I force windows to
not allow the user to login. Give an invalid username/password
message, or an error about the domain being unaccessable?

Note: The user can still log in even if we delete the profile, so
where is the password being stored locally? Also I've tried a reg
modification or two to not cache passwords, however they did not work.

Any responces on this topic, would be much appreciated.

Thanks,

Nick Diotte
Information System & Technology
WCU

Nick Diotte wrote:
> Alright,
>
> Here is my problem. I'm running a Windows NT 4 PDC, and have a domain
> setup. For referance we will call it DOMAIN.
>
> Here is an example of my problem:
> USERNAME logs into the Windows XP machine on DOMAIN, and receives all
> login scripts, policies, etc. USERNAME logs off.
>
> The next day, USERNAME logs into the Windows XP machine on DOMAIN
> (however the network link is actually down), this user does not
> recieve any login scripts, policies, etc. USERNAME logs off.
>
> How was this user able to log in? The XP machine did not check
> against the PDC, or BDC because it was actually off of the network.
> However the user is able to still log into the domain. If you plug
> back the cable into the machine, all network access is granted, but of
> course the script is still not executed. How can I force windows to
> not allow the user to login. Give an invalid username/password
> message, or an error about the domain being unaccessable?
>
> Note: The user can still log in even if we delete the profile, so
> where is the password being stored locally? Also I've tried a reg
> modification or two to not cache passwords, however they did not work.
>
> Any responces on this topic, would be much appreciated.

I've not tested it because I don't have a domain network at home, where I am
now, but you might try testing this:

From a workstation:
start->run, "gpedit.msc".

At the new window, expand Windows Settings, expand
Security Settings, expand Local Policies, and click on
Security Options. Double click Interactive Logon:
Require Domain Controller authentication to unlock
workstation and change it to Enabled.


--
--
Rob Moir
Microsoft MVP for Windows / Security
www.robertmoir.co.uk

It could be using the "cached credentials" on the PC itself - my work laptop
does this when I'm not connected to the network or the Domain Controller is
not present. Group Policy has a setting on how many times login is allowed
with a "cached profile".

"Nick Diotte" > wrote in message
om...
> Alright,
>
> Here is my problem. I'm running a Windows NT 4 PDC, and have a domain
> setup. For referance we will call it DOMAIN.
>
> Here is an example of my problem:
> USERNAME logs into the Windows XP machine on DOMAIN, and receives all
> login scripts, policies, etc. USERNAME logs off.
>
> The next day, USERNAME logs into the Windows XP machine on DOMAIN
> (however the network link is actually down), this user does not
> recieve any login scripts, policies, etc. USERNAME logs off.
>
> How was this user able to log in? The XP machine did not check
> against the PDC, or BDC because it was actually off of the network.
> However the user is able to still log into the domain. If you plug
> back the cable into the machine, all network access is granted, but of
> course the script is still not executed. How can I force windows to
> not allow the user to login. Give an invalid username/password
> message, or an error about the domain being unaccessable?
>
> Note: The user can still log in even if we delete the profile, so
> where is the password being stored locally? Also I've tried a reg
> modification or two to not cache passwords, however they did not work.
>
> Any responces on this topic, would be much appreciated.
>
> Thanks,
>
> Nick Diotte
> Information System & Technology
> WCU

"Robert Moir" > wrote in message >...
> Nick Diotte wrote:
> > Alright,
> >
> > Here is my problem. I'm running a Windows NT 4 PDC, and have a domain
> > setup. For referance we will call it DOMAIN.
> >
> > Here is an example of my problem:
> > USERNAME logs into the Windows XP machine on DOMAIN, and receives all
> > login scripts, policies, etc. USERNAME logs off.
> >
> > The next day, USERNAME logs into the Windows XP machine on DOMAIN
> > (however the network link is actually down), this user does not
> > recieve any login scripts, policies, etc. USERNAME logs off.
> >
> > How was this user able to log in? The XP machine did not check
> > against the PDC, or BDC because it was actually off of the network.
> > However the user is able to still log into the domain. If you plug
> > back the cable into the machine, all network access is granted, but of
> > course the script is still not executed. How can I force windows to
> > not allow the user to login. Give an invalid username/password
> > message, or an error about the domain being unaccessable?
> >
> > Note: The user can still log in even if we delete the profile, so
> > where is the password being stored locally? Also I've tried a reg
> > modification or two to not cache passwords, however they did not work.
> >
> > Any responces on this topic, would be much appreciated.
>
> I've not tested it because I don't have a domain network at home, where I am
> now, but you might try testing this:
>
> From a workstation:
> start->run, "gpedit.msc".
>
> At the new window, expand Windows Settings, expand
> Security Settings, expand Local Policies, and click on
> Security Options. Double click Interactive Logon:
> Require Domain Controller authentication to unlock
> workstation and change it to Enabled.
>
>
> --

Works like a charm! Thanks so much... Don't know how I missed that!
I could of sworn I went through all those options.