unplugged cable and logon locally with defined user in domain

By pichack ·
I have a windows 2003 sever. all clients are using windows xp Pro sp2. i defiend a user in domain and set security for it.
when users unplugged the network cable they can log on locally with defined user.why?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

The profile is cached locally

by branty1970 In reply to unplugged cable and logon ...

When a user logs on at a workstation their profile stored locally. If you have roaming profiles set-up the profile is copied from the server to the workstation. When you remove the network cable the workstation looks for the server but, if it can't find it, it will use the profile that is on the workstation.

Collapse -

thanks & question

by pichack In reply to The profile is cached loc ...

thanks branty
this way resolve my problem.but if i had 10000 clients ,how do this action?

Collapse -

A couple of ways

by Jacky Howe In reply to unplugged cable and logon ...

Roaming Profiles. It stops the kids from pulling out the the fly lead, logging on locally reinserting the fly lead and surfing the net.

Permit users to log on locally to a domain controller

To permit users to log on locally to a domain controller
Open Domain Controller Security Policy.

In the console tree, click User Rights Assignment.


? GroupPolicyObjectName [DomainControllerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment

In the details pane, double-click Allow log on locally.

If this security setting has not yet been defined, select the Define these policy settings check box, and click Add User or Group.

In Add user or group, specify the user or group who will be granted permission to log on locally, and then click OK twice.


? To open Domain Controller Security Policy, click Start, click Control Panel, double-click Administrative Tools, and then double-click Domain Controller Security Policy.

? You can also explicitly deny users or groups the permission to log on locally by configuring the "Deny log on locally" user right. For more information, see Related Topics.

? Setting changes are applied every five minutes on a domain controller. Every 16 hours, there is a forced refresh on the settings, regardless of any changes.

? User Rights are defined by default in the Default Domain Controller Group Policy object, which is associated with the Domain Controllers organizational unit. As a result, all domain controllers have the same User Rights policy.

Collapse -

RE: Hello! :)

by Jacky Howe In reply to A couple of ways

You don't have to let the users log on locally, that is what you are trying to avoid. :)
By allowing the users to log on locally, means that Group Policy does not get applied, they can probably surf the internet too.
If a user has a mandatory profile, changes made by the user during a session are not uploaded to the mandatory profile when the user logs off- the user can never change the mandatory profile. However, if the mandatory profile allows the user to make changes during a session, any changes made by the user are saved in the locally cached version of the mandatory profile. So, the next time the user logs on at this workstation, if the user's mandatory profile is unavailable, "OR the CABLE has been REMOVED" the locally cached profile is loaded, and the user will have the changes made during his or her last session.

You will need to use these Policies to stop the use of the local profiles. :)

Using Group Policy to delete cached copies of roaming profiles

You can configure a Group Policy Object (GPO) to perform the preceding behavior by performing the following steps:
1. Edit the GPO that you want to modify.
2. Locate the following section: Computer Configuration \ Administrative Templates \ System \ User Profiles.
3. Double-click Delete cached copies of roaming profiles (the Group Policy setting).
4. Click Enabled.

Log users off when roaming profile fails.

GPO Computer Configuration, Administrative Templates, System, User Profiles

Logs a user off automatically when the system cannot load the user's roaming user profile.

This setting is used when the system cannot find the roaming user profile or the profile contains errors which prevent it from loading correctly.

If you disable this setting or do not configure it, when the roaming profile fails, the system loads a local copy of the roaming user profile, if one is available. Otherwise, the system loads the default user profile (stored in %Systemroot%\Documents and Settings\Default User).

<Stress a point>

Collapse -

Unplugged cable and logon locally

by tushar.k In reply to unplugged cable and logon ...

When you create a user in windows server 2003 it gave a file to user name ntuser.dat file.when you first time login with username it save a file natuser.dat with user profile in documents and settings so, when you unplugged cable user can login with username

Related Discussions

Related Forums