Hi All ... If a local user on a

[sguslan]

Hi All ...

If a local user on a W2K prof workstation has the same user name and password on a domain, he can just double click on the DC/server name on the network neighborhood and have immediate access to all resources without being asked for the password. Can this behavior be changed?

Thanx

 

[Guest_imported]

No, they will not have immediate access. On a local machine the user is known as simply username while the same user on a domain is known as username.domain. When they double click on a domain or share they will be met with the "connect as" box.

 

[sguslan]

Sorry, I am not beeing asked to "Connect As" ! It just lists all shares and printers imeediately !

 

[CHESTNUTTR]

Take the local computer out of the domain-- ie if the local computer is not a member of the domain the local user can not sign on to the domain-only a domain admin can join a computer to the domain.

 

[sguslan]

The computer is not a member of the domain ... has never been joined to it..

The only common thing between the workgroup PC and the domain is the user id and password ...

 

[GenesisCraigM]

If the machine is not a member of the domain and the person is logging in using his local machine account, he or she should not be allowed to access network resources without being prompted for credentials -- however, if the resource in question is a SAMBA server, it may or may not be processing the request via it's authentication scheme properly -- depending on the configuration of the SAMBA server. If not correctly configured, it could allow unrestricted access to non-domain members. Craig J Matthews
System Administrator, Genesis Group
craigm@genesisgroup.com

 

[GlenJohnson]

Is it possible the person is a member of admin on the server? Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Every step of life shows much caution is required".
Johann Wolfgang von Goethe (1749-1832); German poet and playwright.

 

[CharlieJax]

sguslan,

Take a look at the domain secuity policy and make sure that it only allows domain users to view resources. Right now it is probably not set or set at a very relaxed setting.

If people are able to view the resources on your network, then it is because of a secruity setting not because they happen to have the same name.

The PC being in or out of the domain won't matter either.

The setting you are looking for is:
Start - Programs - Administrative Tools (or from the control panel) Domain Sec. Policy
User Rights Assignment - Deny access to this computer from the network

You will need to do this on the Domain Server Policy as well.

They will still be able to see computers in the Network Neigborhood but they will not be able to access them. They show in NN because of the machines broadcasting their name/address via NetBios.

Hope this helps! I have the anon and guests restricted from logging into any PC and I know that people who do not login to the network cannot get into the other PCs with out a username and password. CJ
- Jr. Rocket Man

 

[sguslan]

Thanx All ..

No I am not using SAMBA as Craig asked; and the user in question has no administrative, operator or power privileges.

AND I tried what CharlieJax suggested, but to no avail. It still works.. It seems that win2000Prof prefixes the user name with the domain netbios name [stripping the computer name] automatically when accessing the domain resource and since the password happens to be the same (locally and on the domain) the domain authenticates correctly.
I want the WS to always ask for "Connect As" and not "Automatically" use the locally logged-in user name when connecting to any resource.

 

[tom11011]

Reboot the computer in question, it may have been logged into the domain before and is remembering the authentication info.

Then try and see if it connects again.

 

[sguslan]

I rebooted both DC and WS, but still I connect to the resource without any Connect As window...

 

[llefebure]

I think this is by design. Assume you have 2 PCs in a peer-to-peer network. You are logged in as a user on PC A. If that same username/password exists on the other PC, you will be able to browse to it and get into shares.

Try this: change this user's password on either the domain or the PC. See if you can still browse the resources on the domain?

Is it necessary to keep the passwords matching. If not, a simple solution is to just change the password.

Other option: add the PC to the domain. In that user account, deny the ability for that user to login on that computer to the domain. When the user gets a login prompt on their PC, the login to the local PC, not to the domain. If they browse to the server, they still cant get to it because the server won't authenticate them from that PC.

-Lance

 

[Guest_imported]

Does the stand alone W2K PC have a full DNS name set (do ipconfig /all)? And is it the same as the AD Domain?

Also is it picking up DHCP information or is it all statically assigned. (The DHCP server may be assigning a DNS name and adding the PC via DDNS)?

 

[sguslan]

No DHCP ... We just do not use it...

The standalone PC has a full DNS but not the same as the AD Domain ...