Differences between Windows XP Pro and Windows 2000 Pro RE: Account Logon Time Restriction and Locke

[Todd Pringle]

Our Network Environment: Windows Server 2003 Active Directory domain
with a mix of Windows 2000 Pro and Windows XP Pro client computers.
All end users have domain accounts, no local client computer accounts.


Our Domain account/Desktop Computer Policy: Any end-user whose
computer is primarily a desktop is restricted from logging in or
accessing network resources between 12 am and 5:00 am. This restriction
is enforced in the configuration of the particular person's Domain
Account. Success and Failure is logged for all events on the Domain
Controllers (Account Logon/Logoff, Object Access, etc). Each desktop
has network drives mapped to shares on the domain controllers.

Our Problem: Most of these desktop users will "lock" their computers at
night instead of logging out.

For each end-user with a Windows XP desktop who locks his/her computer,
Time restriction events are logged all night. The pattern for each end
user is, 12 time restriction events are logged in 1 minute, all is
quiet for that particular end-user up to 3 hours, then another 12 time
restriction events are logged, repeat until 5:00 am passes. Group
Policy processing maybe?

For each end-user with a Windows 2000 desktop who locks his/her
computer, no Time restriction events are logged. I assume these
machines also run through normal Group Policy processing at this time
too. Why no log noise like Windows XP machines?

I would like to know what process on Windows XP desktops is causing
these events to be logged, so I can obliterate it at night and don't
have to sift through the resulting events the next morning in my quest
for actual, useful information (like when a user is really, actually,
physically at his or her computer attempting to log in or access server
resources late at night!).

Thanks for any assistance you can provide.

 

[Steven L Umbach]

Offhand I don't why the difference between Windows 2000 and XP but you might
want to consider implementing a logoff screensaver for your domain. That
would stop those events. The Resource Kit has such a screensaver called
winexit.scr that can be configured to close user programs [possibly causing
loss of data] and then distribute it to the computers and configure Group
Policy to use that screensaver and set the idle time to engage it. XP also
requires a registry mod for it to work correctly for users that are not
local administrators that could be distributed as a .reg file with Group
Policy startup script or via a custom .adm template. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;314999 ---
winexit.scr
http://support.microsoft.com/default.aspx?scid=kb;en-us;156677 --- seems to
apply to XP also

 

[Todd Pringle]

Hi Steven,

Regarding implementing the winexit.scr screensaver, we are already
bound by regulations to implement a password-protected screensaver that
activates after 15 minutes of inactivity. For this we use logon.scr
and push this policy via group policies to all computers on our domain.
So during the day, if a user logs on and is inactive for 15 minutes,
the screen locks and requires a password to reactivate. It could be
possible that the end-user is counting on this to protect his/her
computer after leaving for the day--:"just leave the computer, it will
protect itself"...Thus, if my understanding is correct, we would not be
able to use the winexit.scr screensaver. I will be very happy if I am
wrong though and can use your solution

 

[Steven L Umbach]

I can't answer that without knowing your regulations. Logoff would be at
least as secure as locking the computer though it could result in data loss
if user was in the middle of doing something. I don't know of any way to
stop the logon events from being recorded. I have never used these settings
my self but you might want to take a look at the settings under computer
configuration/administrative templates/system - netlogon. If you want to
tweak them create a test OU with a GPO linked to it with the settings you
want and move just a few XP computers into it to see if any changes are
observed. Also examine the logs on a couple of XP computers that are
generating these events to see if anything helpful is found and you may also
want to enable auditing of system events on a couple of those XP computers.
Another thing to consider is to get buyin from the powers to be to enable a
policy that users must logoff of their computers at the end of their shift.
After all a power failure could cause loss of data if a computer is not shut
down gracefully. I don't believe the events are related to Group Policy
processing. --- Steve

 

[Todd Pringle]

Here is a sample logged event. In case I wasn't clear about this,
these logs are generated on the domain controller, not on the client.
In the morning I check each domain controller's logs:

Security, 530, 20051119052428.000000-360, <DOMAIN CONTROLLER NAME>, NT
AUTHORITY\SYSTEM
Logon Failure:

Reason: Account logon time restriction violation

User Name: <username>

Domain: <domain name>

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: <XP desktop name>

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: <XP Desktop IP>

Source Port: 3763

 

[Steven L Umbach]

Yeah I new they were on the domain controller because that is where you said
the shares are located. If the users logoff then those events should go
away in the domain controller security log. Apparently XP Pro has a
mechanism that does not exist in Windows 2000 to automatically try to
reauthenticate. --- Steve