How can a never logged in domain user log in with cached credentials if a DC is unavailable?

[SA]

Hi all,
AS a security measure I recommended disabling the local accounts on all
client machines when we move to AD in the summer. But someone from the
helpdesk group asked me how they could log in to administer or fix something
on the machine if they had never logged in before and if the DC was
unavailable at the same time.

I can't think of anything and am wondering if there are any workarounds for
this as I would really like to disable all local accounts. Thanks,

SA.

 

[Laura E. Hunter \(MVP\)]

Unfortunately, the quick answer is "No."

If a DC isn't available and a user has logged into a workstation previously,
they are logged in using their cached credentials. If they've never logged
in before and a DC is unavailable, they'll be denied access using a domain
account and will only be able to log on using a local account.

 

[Enkidu]

Hi all,
AS a security measure I recommended disabling the local accounts on all
client machines when we move to AD in the summer. But someone from the
helpdesk group asked me how they could log in to administer or fix something
on the machine if they had never logged in before and if the DC was
unavailable at the same time.

I can't think of anything and am wondering if there are any workarounds for
this as I would really like to disable all local accounts. Thanks,

As Laura said, there is no way to login. However this is a very
artificial situation. If the DC is down, the HelpDesk would be too
busy taking phone calls from people who couldn't log in to try to
login to a client workstation!

Another point is that if you have enough users to need a HelpDesk, you
really should have TWO DCs, and the question is then irrelevant.

Cheers,

Cliff

{MVP Directory Services}

 

[Kerry Hoskin]

you could still login using the local admin account

Kerry

 

[SA]

Hi,
Thanks for all the replies. I wanted to disbale all the local accounts
including the local administrator account for tighter security.

And the hypo for my question was something like this: Suppose there is a
network issue on the CLIENT end and there is no network connectivity. How
can someone from the helpdesk with a domain account log in then??

Thanks again
-SA.

 

[ptwilliams]

Then, as mentioned earlier the answer is - they can't.

Not what you wanted to hear, I'm sure, so it may be worth leaving one
account unlocked. Give it a stupid name like, computerName&offlineOnly and
make it an administrator with a huge password <g>


Paul.
________________________________________

 

[Enkidu]

Hi,
Thanks for all the replies. I wanted to disbale all the local accounts
including the local administrator account for tighter security.

And the hypo for my question was something like this: Suppose there is a
network issue on the CLIENT end and there is no network connectivity. How
can someone from the helpdesk with a domain account log in then??

I don't think that you *can* delete the local administrator account.
You can rename it though.

The thing is, you can get floppy based programs that will change local
passwords on a machine, so any security can be bypassed if someone has
physical access to the machine. All you are doing by removing the
local administrator account (if you can) is making it harder for the
HelpDesk people.

Cheers,

Cliff