Local/Domain logon

[Neil Shaw]

We have a user who is working 50-50 onsite and at home and who has a
work issued laptop. At work we have a Win2K server running AD with a
single Domain.

The problem arises when the user is at home. Obviously there is no way
for her to authenticate with the PDC (dial-up connection not feasable)
and so she has a local machine logon too. However, this leads to 2
separate profiles. Is there any way to get Windows to use the cached
copy of her Domain profile when logging on to the local machine only so
that she still has access to things like contacts and bookmarks?

Thanks

 

[Neil Shaw]

We have a user who is working 50-50 onsite and at home and who has a

Try using XP on the client as it automatically caches the client logon
details so you do not need to worry about this. If you need to prevent users
from loging on with cached credentials this is possible with Group Policy too.

When you say it caches the logon details, do you mean the roaming
profile of the user, or the username/password combination to allow a
Domain logon without needing the PDC connected to the client?

If it's the roaming profile, Win2K does this as well, but it's the
password authentication that is the problem.
If it's the latter, it just adds to my list of reasons as to why I hate
WinXP \

 

[Neil Shaw]

XP will cache the logon credentials. For example, my notebook at work is XP
Pro and I do not use a roaming profile. At work I log on with my domain user
account and password. When I go home I log onto my notebook using the same
domain username and password as I use on the network - there is no connection
to the domain at home, therefore this uses cache credentials.

I did the upgrade exam to MCSE 2003 the other day [I did pass, and no I'm
not bragging] and there was a specific question about XP caching logon
credentials and how can you stop this. I am not an expert on XP, but I do
know this works, and as the exam covers this I presume this is a feature of
XP.

Thanks for clearing that up
What worries me about this option is that if the profile is stored
locally at all times there is no backup procedure for the user's data in
place. OK, the laptop has a CD-RW, but the user is not confident with
computers, and so I wouldn't want to add this extra burden on to them,
and I can't guarantee that I'd be available to do a CD backup for her.
At least if she had a roaming profile it would be stored on our
fileserver, which is backed up to tape every weekday morning.

I also have to admit that I'm not 100% sure over the security of this
method that XP is using. I've always thought that Microsoft have a
strange view of security (the Outlook web system, for example, where not
only do you have to log out, but you also have to close your browser,
which is highly inconvenient). I think in this situation I'm just going
to have to keep things as they are and tell the user what she wants is
not possible, and just to use the D: drive on the laptop for her files,
and make sure when she's on the move. I think copying files from D: to
My Documents on return to site is going to be easier than getting CDs
involved and XP, etc.

Unless someone else has any other ideas.

Thanks anyway

 

[Bruce Chambers]

We have a user who is working 50-50 onsite and at home
and who has a work issued laptop. At work we have a Win2K
server running AD with a single Domain.

The problem arises when the user is at home. Obviously
there is no way for her to authenticate with the PDC
(dial-up connection not feasable) and so she has a local
machine logon too. However, this leads to 2 separate
profiles. Is there any way to get Windows to use the
cached copy of her Domain profile when logging on to the
local machine only so that she still has access to things
like contacts and bookmarks?

Thanks

Certainly. There was no need to create a local account for her.
Once she's logged in to the domain and created a user profile, she can
continue to login using the domain account's credentials, even when
she's at home. Your network administrator or IT Help Desk will be
able to explain how this is done.

Ensure that the registry is set to allow logins via cached
credentials. Set the CachedLogonCount to something other than zero.
(By default, Win2K stored 10 sets of cached credentials.)

Cached Logon Information
http://support.microsoft.com/default.aspx?scid=kb;en-us;q172931

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever
count on having both at once. - RAH

 

[Bruce Chambers]

Try using XP on the client as it automatically caches the
client logon details so you do not need to worry about
this.

True, WinXP does cache logon credentials, but the OP needn't
change the laptop's OS to gain this functionality. Both of WinXP's
predecessors, WinNT and Win2K, have always allowed logons using cached
credentials.

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever
count on having both at once. - RAH

 

[Torgeir Bakken \(MVP\)]

XP will cache the logon credentials. For example, my notebook at work is XP
Pro and I do not use a roaming profile. At work I log on with my domain user
account and password. When I go home I log onto my notebook using the same
domain username and password as I use on the network - there is no connection
to the domain at home, therefore this uses cache credentials.

I did the upgrade exam to MCSE 2003 the other day [I did pass, and no I'm
not bragging] and there was a specific question about XP caching logon
credentials and how can you stop this. I am not an expert on XP, but I do
know this works, and as the exam covers this I presume this is a feature of
XP.

Hi

This is not new for Windows XP. Windows 2000 (as well as NT4) supports
cached logon credentials the same way as Windows XP does.