What do you think..will be the best answer?

kenny504kenny504 Users Awaiting Email Confirmation Posts: 237 ■■□□□□□□□□
You want to stop users who are logging on to their machines without be authenticated by the doamin controller. What option will be best to implement.

a)A GPO that denies the users the right to log on locally.
b)In the local Security Policy configure number of previous logons to cache to 0.

Pretty simple right...1 out of 2..i think the answer is a
There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Nope, it's B. If they don't have the right to log on locally, they cannot log on at the console at all. By setting the cached logons to 0, they will need to authenticate each time they log on. If cached logons were available (default is set to 10) they could unplug the network cable and logon with a cached profile even if you disabled their account since the last time they logged on.

    Neither of these solutions will stop them from using a local user account to log on though. It's one of those "tricky" MS questions.
    All things are possible, only believe.
  • kenny504kenny504 Users Awaiting Email Confirmation Posts: 237 ■■□□□□□□□□
    Ohh ok. So if they dont have the right to log on locally they cannot log on even if authenticated??
    There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    kenny504 wrote:
    Ohh ok. So if they dont have the right to log on locally they cannot log on even if authenticated??

    Basically. They could log still on with a local account, and then use the account on the DC (the domain account that has been denied the right to log on locally) to remote into a computer across the network.

    If you turn on auditing for logon/logoff events, you'll see a logon at the console as Type 2, while a remote logon (like through a network share) would be recorded as Type 3.
    All things are possible, only believe.
  • kenny504kenny504 Users Awaiting Email Confirmation Posts: 237 ■■□□□□□□□□
    Well the question said you want to stop users from logging on to thier machines without authenticating to the domain so if you set the logon cache to 0. they will still be able to logon to the local machine. Thats why i say its "A"
    There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.
  • APAAPA Member Posts: 959
    but to logon they would need to authenticate with a domain controller first which is what the question requires....

    If you deny users the right to log on locally to a machine through a group policy object then they won't be able to log on to that machine at all.....

    I second that B) is the correct answer......

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • widjerdwidjerd Member Posts: 17 ■□□□□□□□□□
    kenny504 wrote:
    Well the question said you want to stop users from logging on to thier machines without authenticating to the domain so if you set the logon cache to 0. they will still be able to logon to the local machine. Thats why i say its "A"

    i think the question is badly worded, but it is implying you want to stop logging on the domain, not the actual local machine because the local machine will not have user accounts
  • matradleymatradley Member Posts: 549
    I agree that the answer is "B." According to the Sybex version of the MCSA/MCSE Windows XP Professional Third Edition written by Lisa Donald and James Chellis:

    "When a user login is successful, the logon credentials are saved to local cache. The next time the user attempts to log on, the cached credentials can be used to log on in the event that they can't be authenticated by a domain controller. By default, Windows XP will cache the crednetials for the last 10 users who have logged on the computer. If group policies have been updated and a user is using cached credentials, the new group policy updates will not be applied. If you want to force a user to log on using non-cached credentials, you can set the number of cached credentials to 0 through a group policy." (21icon_cool.gif
    From Security+ book by Sybex:
    "One of the nice things about technology is that it's always changing. One of the bad things about technology is that it's always changing."
  • kenny504kenny504 Users Awaiting Email Confirmation Posts: 237 ■■□□□□□□□□
    I understand that.

    Yes thats true...but thier credentials not being cached still doesnt stop users from accessing their "machines". They can still get on to thier machines locally without authenticating to the domain. The question says you do not want users to access thier machines without being authenticated by the domain.

    Wouldnt a "deny users the right log on locally" be more feasible ? I am just trying to understand the logic in the question.

    If the question said no users should log on to thier domain account without be authenticated i would answer "B" also. But the question says you want to stop users from logging on to thier machines....
    There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.
  • kenny504kenny504 Users Awaiting Email Confirmation Posts: 237 ■■□□□□□□□□
    Alright think i got it now....just took a while to grasp.
    There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.
  • matradleymatradley Member Posts: 549
    kenny504 wrote:
    Alright think i got it now....just took a while to grasp.
    I get some of those days too.
    From Security+ book by Sybex:
    "One of the nice things about technology is that it's always changing. One of the bad things about technology is that it's always changing."
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Glad you got it. Like I said, it's just a trick question MS likes to use. Remember, if you answer "A", that still won't stop them from logging in to the machine with a local account. It will stop them from using their domain account from logging in, but not a local account such as Administrator. I suppose one could interpret the answer as also applying this policy to local accounts, but then they could still use a domain account cached credential (by purposely disconnecting the LAN cable) to logon anyway.

    </beat dead horse>
    All things are possible, only believe.
  • Nishesh.PrasadNishesh.Prasad Member Posts: 185
    The answer is 'B'
    MCITP: EA 2008| VCP4| MCSE 2003 | CCNA | MCSA 2003: Security | MCDST | Security+ | ITILV3
Sign In or Register to comment.