Logon Locally Windows 2000

Posted on 2004-03-25
Medium Priority
Last Modified: 2013-12-04

We have a lot of old pool laptops that have been upgraded to windows 2000.  They do not have network cards or modems/cables.  We currently have a situation where people keep forgetting they need to have the laptop put on the network to cache their profile to allow them to log on to it whilst at home.

While we could enable the guest logon this is very insecure.  We have also considered creating a local policy (on each laptop) with a generic password.  As these laptops never go on the network there is no way of changing the password for this generic account on the laptop so raises a security risk when people leave which is potentially often.  How do you all do this?  Surely anyone with pool home laptops must have this problem.

I have a couple of off the wall ideas but I don't think there is anything out there that does it, please tell me if anyone know different.

1.  Have a policy on a floppy disk that has a user account enabled.  Possibly with an expirey password account of 3 attempts.

2.  Have a security token (we do use these for dialling in) that could somehow be authenticated locally.

As I said they are off the wall suggestions but maybe someone has an answer pleeeeeease.


Question by:T-y
  • 4
  • 3
  • 3
  • +3
LVL 67

Expert Comment

ID: 10676020
You said:  
 >>They do not have network cards or modems/cables<<

but then you said:
>>people keep forgetting they need to have the laptop put on the network to cache their profile to allow them to log on <<

Er, how?

Author Comment

ID: 10676059
The latops have to be brought to us, we can set them up on the network.  This is not a problem for people that work in the same office, but not for people that work 20 miles away.


Expert Comment

ID: 10676066
Exactly, very confusing.

I understand this as if you have a Network configuration but no Network?

Please explain...
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Expert Comment

ID: 10676075
Sry, scrap that....

Hmmm, and will these users never use Network resources?

If so, then why bother with putting them on the network?

LVL 67

Expert Comment

ID: 10676228
I think I need further clarification...

>>As these laptops never go on the network there is no way of changing the password <<

If I'm hearing (haha - reading) you correctly...
The users can only use the laptops disconnected from any network (no modem or NIC).
Occasionally, they'll forget their password - which raises a concern for you.  Apparently they're part of a domain, but "not", so since there's no network connection, you cannot reset their account in the domain (what good would it do? <rhetorical>).  So how to get past this hurdle?  
If you open the guest account, you're concerned about...what?  That they'll use it, or that if it gets into the hands of someone else, it will be compromised?  You don't want to create a seperate account as this is a security risk...why?  When you say 'people leave which is potentially often' - do you mean your concern becomes that they'll take the laptop and run?

I don't think either of your suggestions would do it.  I think you'd be better off implementing the accounts with a "password never expires", but yet account does expire after say, 90 days.  They would be required to bring it in every 90 days to have you reset it in order to keep it running.  But - if you're concerned about theft - There's not much in wiping a hard drive and starting over, let alone picking up a PCMCI NIC or modem from ebay...

Have I traveled too far down the wrong path here or what?

Author Comment

ID: 10676265
No they don't ever go on the network *UNLESS* we need to cache their profile.

Author Comment

ID: 10676356
Sorry I don't seem to have made myself very clear.  Lets try again.

The laptops would not normally go on the network, there is no need to they are generally used for just word processing.  We currently make them bring in the laptop to us, we connect it to the network, they log on, their account is cached - bingo.  Yes we could add them as a local user, but for pool laptops where you could technically have 50/60 people logging on, we can't have 50/60 local users that would be a waste of resources.

The problem with guest account and generic accounts is

a)Someone with enough nounce could do damage and hack.

b)There is no accountability if a generic/guest account is used.  You then get into the realms of Data Protection problems.

The problem of it being stolen is not really an issue, because if they do, they won't need the username and password.

Also bringing the laptops in every 90 days is a huge administration problem, we are talking about 1000+ laptops.  And you'll still have the same problem of the users forgetting to do this getting home and not being able to get onto the laptop.

Maybe we just asking too much.

Expert Comment

ID: 10676429

If i get this right, the user does not have any means to connect to the network, he has to bring the laptop to you for his first log on?

So when you say:
And you'll still have the same problem of the users forgetting to do this getting home and not being able to get onto the laptop.

You mean that the users forget to bring you the laptop to log on?

To cache a profile, yes this is the only way I know of..... Still kinda confused though....

Are we talking about 50 people who all have seperate profiles, storing data on ONE laptop?

A pooled laptop for that many people can not be used to store their data as well? And what do they do when they return the laptop?

I really don't see the security risk on a shared laptop as I don't see 50 users with all their data on the same laptop........

Please correct me if I'm way off....

LVL 67

Expert Comment

ID: 10676562
I, personally, think you're reaching here.  That's a LOT of people to share a laptop...
If accountability is the problem -why not allow them dial-in/network access?  Just drop a policy locally that prevents Internet access, if that's your concern...

Author Comment

ID: 10676649
Yes we are talking *potentially* 50 people, its pooled laptops from a department so anyone can use the laptop.  You only need two people to use the same laptop before you run into Data Protection problems if they can both acess the same data.

The thing is if they are logging on locally they have to put the data on the laptop.  Yes it gets transferred to a floppy before they can use it back at their desk, but how many 'users' do you know that do good housekeeping and clean up after themselves.

But this still comes back to how do we authenticate that someone is for real without having a cached profile.  Yes generic passwords/accs work but are not the most secure.
LVL 12

Expert Comment

ID: 10681215
Cached Logon Information is written in registry

But that not all of it - to figure out what's really written when doing a cached logon, then save a regfile before doing a cached logon and after doing a cached logon. Probably also something in HKCU and HKUS

If you can find out what to change in a reg-file from HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\... or where ever cached logon writes, then make the reg-fil and send it to the computer 20 miles away from you

It cant be audited by regmon, but maybe placing it in HKLM\Software\Microsoft\Windows\Current Version\Run might help.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

LVL 38

Expert Comment

by:Rich Rumble
ID: 10698315
So, you have these LT's joined to  domain or AD., so that is why you need to cache the logons. You want to beable to keep everyones settings and files seperated with permissions, and also have accountability with the event log's so each user should have their own account on the LT's that way you can keep thier files seperate, and the event log's will document who is doing what when.

I say, let them be stand-alone, in a work-group, you can script addding as many users as you want to each laptop, all in the "users" group on the LT's that will lock them down quite a bit, and they will not be able to view each others  my doc's folders etc... When you set the users up on the LT with a script, all the same pass, you can have it place the check mark for "user must change pass at next logon" so that no one can view the others account because the pass will then need to be changed. I'm sure you user's can remember 2 passwords, because if the get a different laptop next week that they haven't signed on to, they will need to use the default pass, then change it to their standard password.

Scripting can be done with the "net user" and "net accounts" commands, by default, change pass at next logon is already turn on i believe.
M$ scripting page has lot's of stuff that can be modifed to do this also:

Accepted Solution

CetusMOD earned 0 total points
ID: 11468861
PAQed - no points refunded (of 250)

Community Support Moderator

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question