Bypass Domain GPO when not connected to network?

[Ross Luker]

Hi,

We have a problem where the "Log on locally" entry in the Default
Domain GPO was messed with (an entry was put in without specifying
other users). This was quickly fixed, as soon as we noticed users
being denied the right to log on. However, I've got several users that
were connected to our VPN when the GPO changed, and now when they
reboot they're denied access to the machine. Obviously, just
connecting the PC to the network will refresh to the working GPO, but
several users are in a different country - is there a way I can get
them logged in to the machine so that they can access the VPN and
refresh group policy?

TIA
Ross

 

[Steven L Umbach]

There is no hack that I have ever heard of or figured out and unfortunately
that is a bad situation. There is an option to logon via dial up connection
that a user will see when they first try to logon after they do
ctrl-alt-delete [they may have to select options box if they do not see it]
to their computer where they will have to select that checkbox and then
choose the VPN connectoid. Have them try that to see what happens as that
works a bit differently that the VPN connection after logging onto the
computer. If that does not work then about the best you can do is have them
try to logon with the built in administrator account and have them VPN in
and you may have to instruct them how to configure the VPN connectoid. If
they can not VPN logged on as a local administrator have them create a local
user account that matches their domain logon and password and try that. Tell
them how to use secedit/gpupdate to refresh computer configuration policy
and if it refreshes successfully they should then be able to logon with
their domain account but of course they would still know the local
administrator password. If they can not logon as the local administrator the
computers will need to be connected to the domain somehow or rebuilt and
they would need to logon with local computer user account until such time it
had been joined to the domain again. I have never tried it over a VPN
connection but it may be possible to join the computer to the domain using
the netdom command. You may also want to post in the Active_directory
newsgroup.--- Steve

 

[Ross Luker]

Damn, ok....

Unfortunately the VPN is a custom app, rather than using Windows dialup
networking, so we can't use that...also, ALL accounts on the PC are
locked in the same way (I would have thought the domain ploicy would
only apply to domain accounts, but it appears to have applied globally
to the PC). Oh well, guess the users will have to come in...thanks for
the advice...

 

[Steven L Umbach]

Hi Ross.

Like I said you may also want to post in one of the Microsoft
Active_directory newsgroups also. someone else may have a creative solution.
The policy that was configured via user rights is "computer" configuration
which is why it applies to all users on the computer. I don't know if your
remote users are centralized or not but another possibility is to create
another domain controller [could be on a laptop] and ship it to them to
connect to on a network if you have someone that could be responsible in
setting it up and securing it contains all your AD info]. Even though such
domain controller might be disconnected from your main network and its
security logs would show that it can not find the other domain controllers
it just may work and of course the computers would need to have their dns
configured to point to it. If that idea sounds interesting try testing it
out first. With the expense involved with having users coming in you may
also want to contact Microsoft support first. --- Steve