|
Posted by Roger Abell [MVP] on May 20, 2007, 3:28 am
If you were Registered and logged in, you could reply and use other advanced thread options
I am at work being forced to login with the domain account. But,
I see a cool app I want installed, so after the download I right-shift
right-click on the apps installer and select to run as my power user
account, installing the app. Oops, that app did not ask if I wanted
to install it for all users, and installed it just for the power user
account (unlike most apps that would install for all accounts). Oh,
not to worry, I will just run as a command prompt and do some
changing of things from my profile to the All Users profile and
make sure the app's area in Program Files is granting to Users.
I just do not see what you plan is accomplishing. The users can
bring into work a laptop that has become junked out, infested
with any kind of hijackware, keylogger, etc.. Those malware do
no care what account logs in, except in so far as different accounts
can provide more and less access to network resources. Etc..
Slav stated the solution most succintly. Do not provide the local
account. When they are not in the office they can log in with the
cached domain login. If they cannot install whatever they might
wish then you do have a chance at a controlled (i.e. safe) machine
environment for them to get their work done.
In so far as I am aware there is no built-in solution to your stated
need, i.e. to be network aware and control login rights based on
that network awareness. You can however create a login script
that tests for some things, based on which it is highly probably it
will always decide correctly whether it is in the office network
or not, and immediately log off any account that is logging in
(i.e. running the script) that is not a domain account. Now, if
you did that, and made sure that only Administrators, not just
Power Users, could affect the login script, then I would come
into the office, not connect to the network, log, then connect to
the network.
Roger
> Pidgorny,
>
> Thanks for your suggestion, but I think I need to provide more
> information so you can understand what the needs are here, and why I
> need to implement the above:
>
> The idea behind the usage of two separate accounts on each user's
> laptop is more of a practical sense.
>
> The local (laptop) account will be used when the user is at home. The
> user has the ability to install applications he might want to use at
> home. This gives him the ability to work with the machine almost
> without limitations. The local user account will be part of the 'Power
> Users' of the local machine.
>
> The domain account is to be used only for work. The user won't be able
> to install any programs that are not related to his working
> environment. The domain user has no additional privileges to install
> or change settings under the domain account - restricting considerably
> how much he can do, that's not related to his work.
>
> I need to figure a way to force the user log into his domain account
> when he connects his laptop at the office, not allowing him access to
> the local computer account.
>
> As a side note, I've been also looking into 802.1x, which looks
> promising, but the problem with it is that when enabled, it works for
> all accounts on the laptop. As an alternative, if I could enable
> 802.1x only when the user is logged into his domain account (locally
> cached as you mentioned), then he can enter his username / password
> and gain access to the network. If he logs into the local user account
> and the 802.1x is disabled for that account, he can't join the
> network.
>
> Your thoughts and comments are appreciated.
>
>
| 
XML site map