When XP connects to a Windows 2003 controllers, it applied to domain policy
restricting access to applications, configurations, etc.

But, what if the user logs only locally (not to the domain controller): is
there any way to apply the domain policy?

Thanks

Gaspar wrote:
> When XP connects to a Windows 2003 controllers, it applied to domain policy
> restricting access to applications, configurations, etc.
>
> But, what if the user logs only locally (not to the domain controller): is
> there any way to apply the domain policy?

No, of course not. Most domain workstations don't have a local user
available to your end users so this is a non-issue. Set workstations to
boot only from the hard drive, put a strong BIOS password on so this
can't be changed, and only have the built-in Local Administrator and
possibly a local Tech account. Create strong passwords for these accounts.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP

Our problem is that most computers are shared between several users. Most of
them have common (shared) documents. So it very problem having users to
login/use documents/logout for other user to access its documents/and so
on...

So we allow users to log-in locally with a common user (for example "User")
and when they access network resources, the domain logon prompt is shown.

That's why we are trying to apply "universal" policies, even the users don't
login to the domain.

Any ideas?
Thanks again.


"Malke" <(E-Mail Removed)> wrote in message
news:%23P%(E-Mail Removed)...
> Gaspar wrote:
>> When XP connects to a Windows 2003 controllers, it applied to domain
>> policy restricting access to applications, configurations, etc.
>>
>> But, what if the user logs only locally (not to the domain controller):
>> is there any way to apply the domain policy?
>
> No, of course not. Most domain workstations don't have a local user
> available to your end users so this is a non-issue. Set workstations to
> boot only from the hard drive, put a strong BIOS password on so this can't
> be changed, and only have the built-in Local Administrator and possibly a
> local Tech account. Create strong passwords for these accounts.
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP

Gaspar wrote:
> Our problem is that most computers are shared between several users. Most of
> them have common (shared) documents. So it very problem having users to
> login/use documents/logout for other user to access its documents/and so
> on...
>
> So we allow users to log-in locally with a common user (for example "User")
> and when they access network resources, the domain logon prompt is shown.
>
> That's why we are trying to apply "universal" policies, even the users don't
> login to the domain.

There's no nice way to say this. You've set up your network insecurely
and incorrectly. The "workaround" is to set things up right and you
won't have issues with users doing stuff they shouldn't be.

1. It doesn't matter that computers are shared between users. There
should be no local user accounts available for end users to log on with.

2. Data - such as what your users have got stored in Shared Documents -
should *never* be stored locally on workstations. All data should be on
the server so it can be controlled and backed up regularly. *Nothing*
should be on the workstations.

You can set up a default standard user profile for your workstations
with various Group Policy restrictions in place, but you've made a lot
more work for yourself and have missed the point of using a domain in
the first place - centralized control so your network is a) kept
up-to-date; b) kept secure; c) kept virus and malware-free; d) kept
backed up as part of a disaster recovery plan. In addition, if you're
letting your users log on locally, are they still standard users? If
you're letting them log on locally as administrators then there is no
point in even continuing down that road - they can do whatever they want
and get around anything you set up.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP

Thanks a lot for you suggestions.
I know lot of things are bad (just check this out: we are still using Win98
in 40% of client computers) and we are looking for ways to fix them.

Thanks again!


"Malke" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Gaspar wrote:
>> Our problem is that most computers are shared between several users. Most
>> of them have common (shared) documents. So it very problem having users
>> to login/use documents/logout for other user to access its documents/and
>> so on...
>>
>> So we allow users to log-in locally with a common user (for example
>> "User") and when they access network resources, the domain logon prompt
>> is shown.
>>
>> That's why we are trying to apply "universal" policies, even the users
>> don't login to the domain.
>
> There's no nice way to say this. You've set up your network insecurely and
> incorrectly. The "workaround" is to set things up right and you won't have
> issues with users doing stuff they shouldn't be.
>
> 1. It doesn't matter that computers are shared between users. There should
> be no local user accounts available for end users to log on with.
>
> 2. Data - such as what your users have got stored in Shared Documents -
> should *never* be stored locally on workstations. All data should be on
> the server so it can be controlled and backed up regularly. *Nothing*
> should be on the workstations.
>
> You can set up a default standard user profile for your workstations with
> various Group Policy restrictions in place, but you've made a lot more
> work for yourself and have missed the point of using a domain in the first
> place - centralized control so your network is a) kept up-to-date; b) kept
> secure; c) kept virus and malware-free; d) kept backed up as part of a
> disaster recovery plan. In addition, if you're letting your users log on
> locally, are they still standard users? If you're letting them log on
> locally as administrators then there is no point in even continuing down
> that road - they can do whatever they want and get around anything you set
> up.
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP