What do you think..will be the best answer?

You want to stop users who are logging on to their machines without be authenticated by the doamin controller. What option will be best to implement.

a)A GPO that denies the users the right to log on locally.
b)In the local Security Policy configure number of previous logons to cache to 0.

Pretty simple right...1 out of 2..i think the answer is a

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

sprkymrk

Nope, it's B. If they don't have the right to log on locally, they cannot log on at the console at all. By setting the cached logons to 0, they will need to authenticate each time they log on. If cached logons were available (default is set to 10) they could unplug the network cable and logon with a cached profile even if you disabled their account since the last time they logged on.

Neither of these solutions will stop them from using a local user account to log on though. It's one of those "tricky" MS questions.

kenny504

Ohh ok. So if they dont have the right to log on locally they cannot log on even if authenticated??

sprkymrk

kenny504 wrote:

Ohh ok. So if they dont have the right to log on locally they cannot log on even if authenticated??

Basically. They could log still on with a local account, and then use the account on the DC (the domain account that has been denied the right to log on locally) to remote into a computer across the network.

If you turn on auditing for logon/logoff events, you'll see a logon at the console as Type 2, while a remote logon (like through a network share) would be recorded as Type 3.

kenny504

Well the question said you want to stop users from logging on to thier machines without authenticating to the domain so if you set the logon cache to 0. they will still be able to logon to the local machine. Thats why i say its "A"

APA

but to logon they would need to authenticate with a domain controller first which is what the question requires....

If you deny users the right to log on locally to a machine through a group policy object then they won't be able to log on to that machine at all.....

I second that

is the correct answer......

widjerd

kenny504 wrote:

Well the question said you want to stop users from logging on to thier machines without authenticating to the domain so if you set the logon cache to 0. they will still be able to logon to the local machine. Thats why i say its "A"

i think the question is badly worded, but it is implying you want to stop logging on the domain, not the actual local machine because the local machine will not have user accounts

matradley

I agree that the answer is "B." According to the Sybex version of the MCSA/MCSE Windows XP Professional Third Edition written by Lisa Donald and James Chellis:

"When a user login is successful, the logon credentials are saved to local cache. The next time the user attempts to log on, the cached credentials can be used to log on in the event that they can't be authenticated by a domain controller. By default, Windows XP will cache the crednetials for the last 10 users who have logged on the computer. If group policies have been updated and a user is using cached credentials, the new group policy updates will not be applied. If you want to force a user to log on using non-cached credentials, you can set the number of cached credentials to 0 through a group policy." (21

kenny504

I understand that.

Yes thats true...but thier credentials not being cached still doesnt stop users from accessing their "machines". They can still get on to thier machines locally without authenticating to the domain. The question says you do not want users to access thier machines without being authenticated by the domain.

Wouldnt a "deny users the right log on locally" be more feasible ? I am just trying to understand the logic in the question.

If the question said no users should log on to thier domain account without be authenticated i would answer "B" also. But the question says you want to stop users from logging on to thier machines....

kenny504

Alright think i got it now....just took a while to grasp.

matradley

kenny504 wrote:

Alright think i got it now....just took a while to grasp.

I get some of those days too.

sprkymrk

Glad you got it. Like I said, it's just a trick question MS likes to use. Remember, if you answer "A", that still won't stop them from logging in to the machine with a local account. It will stop them from using their domain account from logging in, but not a local account such as Administrator. I suppose one could interpret the answer as also applying this policy to local accounts, but then they could still use a domain account cached credential (by purposely disconnecting the LAN cable) to logon anyway.

</beat dead horse>

Nishesh.Prasad

The answer is 'B'