Local Logon Prevention in W2K / XP

[Fraser Dickson]

Have you tried to enable to the "Always wait for network
at computer startup and logon".

You can access it under Local Computer Policy - Admin
Templates - System - Logon

By default, Windows XP does not wait for the network to
be fully initialized at startup and logon. Existing users
are logged on using cached credentials, which results in
shorter logon times. Group Policy is applied in the
background once the network becomes available.

Regards,
Fraser - MCP

-----Original Message-----
Does anyone know of a way of preventing local logon to a machine? Here is the scenario.

The computers are networked and GPO policies are in

force which prevent access to certain portions of the
computer. However, if the user unplugs the network cable
the system lets them in after a couple of error messages
about roaming profiles. Once the logon procedure is
complete the users can do almost anything they want to
the local machine... remove software change administrator
accounts etc.

I have edited the local policy to "Log off user if

roaming profile fails" as I thought this was the problem
but it is being ignored.

I also tried "Deny logon locally" but then the domain

groups I denied cannot logon interactively whether the
network cable is unplugged or not.

What I want to achieve is to deny local logon to any

user when the network cable is unplugged. So that they
are forced to authenticate through the network and hence
the GPO restrictions will be in place. Can this be done?

 

[FriedTurkey]

In Local Security Settings, under Security Settings/Local
Policies/Security Options, find the policy:

*Interactive Logon: Number of previous logons to cache (in case a
domain controller is not available).*

Set this value to 0 to disable policy cacheing.