Laptops Forum·2,695 discussions

Non Domain computer needs authenication VBS script help

Locked

Ok, my current job allows personal laptops to the domain resources without joining the domain. So what ever local profile is on the laptop stays like that. No 2nd profile (domain profile) will be created on the personal laptop.
so once he connects his personal laptop to our network, he’ll just click “start”, “run”, then “\\server”. It will prompt him a username and password. He will type in his domain username and password, now he has access to all domain resources.

I then created some auto network mappings for the user (sloppy vbs but it works):

on error resume next
Set objNetwork = CreateObject(“WScript.Network”)
strDriveLetter = “S:”
strRemotePath = “\\server\common”
strUser = “domainuser”
strPassword = “domainpassword”
strProfile = “False”
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath, strProfile, strUser, strPassword
strDriveLetter = “F:”
strRemotePath = “\\server\DATA”
strUser = “domainuser”
strPassword = “domainpassword”
strProfile = “False”
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath, strProfile, strUser, strPassword
strDriveLetter = “U:”
strRemotePath = “\\server1\USERS_snapw2k5\Domain1\username”
strUser = “domainuser”
strPassword = “domainpassword”
strProfile = “False”
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath, strProfile, strUser, strPassword

So I put this script in their startup and it runs everytime they turn on their computer. Then it automatically authenicates their personal laptop to our domain.

So now I’m requested to give the user all access to the domain, not just the mappings.

So my question is how do i write a VBS script that allows and authenticate them to just “\\server” auto. So this way they have a access to the entire domain and not specific paths??

Thanks

Topic

Geez, that is a horrible policy, but

In reply to Non Domain computer needs authenication VBS script help

wouldn’t the simpliest solution be to join the computer to the domain?
Although you may want to push hard enough to be able to verify that each system has the proper safeguards in place and perhaps even clean it first.
Uncontrolled resources running rampant on the domain.

Very bad stuff

In reply to Geez, that is a horrible policy, but

The security risks involved in that are astounding…who would institute such a thing? I hope there’s a whole lot of logging enabled on the network and server levels, because there will be breeches in security. Kinda negates the point of establishing a domain from a security standpoint in the first place. You really can’t keep a setup like that under conrtol. I feel sorry for the guy that has to manage that!

tell me what you mean

In reply to Very bad stuff

Well I manage this network. However I don’t agree to this but upper management allows this due to 1 executive wanting to use his personal laptop, now the several others do the same.

Can you name the security risk involved?

Also I found my solution for my situation. I didn’t have to rely on VBS script this time to athenticate to our domain when trying to attach to \\server .
So basically I left my network mappings in place. Then I went to the non-domain laptop click “Start”, “Run”, “control userpasswords2”, “Advance tab”, “Manage Passwords”, and add “your domain authenications”.

Now they have domain drive mappings & access to all domain network resources using their non-domain laptops.

What I meant…

In reply to tell me what you mean

You cannot control who has administrative rights on personal laptops. They can install at anytime any software they want. Unless you have network appliances and managed routers/switches that you monitor carefully there are all kinds of possibilities.

1. They bring in whatever files from home they want and can store these files on company servers.

2. The user could start a bit torrent client/server on his personal laptop since the internet connection at work seems faster to him, crippling your bandwidth.

3. No way to deploy/manage antivirus centrally and guarantee the user can’t uninstall it if they feel it “slows their machine down”.

4. Their personal laptops might have stuff like iTunes or the like so they download music/movies in their spare work time, crippling bandwidth.

5. No way to tell if all the user keeps his updates up to date.

6. No way to manage the user’s computer at all since you don’t have admin privileges, much less even know who’s plugging what in.

7. The user copies sensitive corporate data to his personal laptop…which is ok under policy. The user has poor security on his laptop and sensitive data is stolen or lost. If this sensitive data contains personal information on customers, now you have to notify all these customers that there was a potential security leak…under law.

I could go on and on…but it sounds like bad business. I’m not saying it’s your idea or bashing you for it. I’m just saying if I were forced into this I would have a very lengthy argument against this policy, signed and documented on file that I totally disapproved of it from a security stand point. Once it was officially signed…I’d go about my duties and wait for that “I told you so” moment.

well

In reply to What I meant…

1. Storage is carefully monitored on the common network drive. We have a script that flag certain extensions by dates.

2. We have websense and would take care of this issue

3. There personal laptop should have antivirus but if his personal laptop should have a virus, our Symantec Corp will block it on our file server, mail server, and etc..

4. We have Websense for this issue

5. Well if his updates are not up to date then what is going to happen? trojan in through a exploit?

6. The purpose is not to manage their personal laptop. His internet will be controlled though. besides each cubical has 1 ethernet port, so they will be using their own hub or switch.

7. This can happen other than them bringing in their personal laptop. External hard drive comes to mind.

I do agree with you about not having personal laptops here but upper management agrees personal laptop are allowed.

Besides Group Policy and Windows updates, I think everything else is covered and protected.

Microsoft allows this to happen

In reply to Geez, that is a horrible policy, but

Well 1st of all, why does Microsoft allows non-domain computer to authenticate and access domain network resources without joining the domain??

I always thought in the past a non-domain computer can’t see the domain network resources without 1st joining the domain. but later i found this to be false.

so what is the purpose of joining a domain if a non-domain computer can authenticate using a domain account easily. Then any domain users in the world can bring in their personal laptop and authenticate. How do you stop them in your comnpany? (port security?), well not everyone has managed switches.

The main advantage I

In reply to Microsoft allows this to happen

didn’t vocalize, is that then you can ensure any GPO’s are tacked into their systems. This would help from a security perspective.

gpo

In reply to The main advantage I

Currently only the login script is in the GPO, nothing else. So for us a domain computer and a non-domain computer is exactly the same for now.

We do have a metering software which checks what’s going in and out the Internet but not the servers. DHCP server is also being monitored for new unauthorized IP & MAC addresses.

[Author]

Replies