• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 233
  • Last Modified:

Logon Locally Windows 2000


We have a lot of old pool laptops that have been upgraded to windows 2000.  They do not have network cards or modems/cables.  We currently have a situation where people keep forgetting they need to have the laptop put on the network to cache their profile to allow them to log on to it whilst at home.

While we could enable the guest logon this is very insecure.  We have also considered creating a local policy (on each laptop) with a generic password.  As these laptops never go on the network there is no way of changing the password for this generic account on the laptop so raises a security risk when people leave which is potentially often.  How do you all do this?  Surely anyone with pool home laptops must have this problem.

I have a couple of off the wall ideas but I don't think there is anything out there that does it, please tell me if anyone know different.

1.  Have a policy on a floppy disk that has a user account enabled.  Possibly with an expirey password account of 3 attempts.

2.  Have a security token (we do use these for dialling in) that could somehow be authenticated locally.

As I said they are off the wall suggestions but maybe someone has an answer pleeeeeease.


  • 4
  • 3
  • 3
  • +3
1 Solution
You said:  
 >>They do not have network cards or modems/cables<<

but then you said:
>>people keep forgetting they need to have the laptop put on the network to cache their profile to allow them to log on <<

Er, how?
T-yAuthor Commented:
The latops have to be brought to us, we can set them up on the network.  This is not a problem for people that work in the same office, but not for people that work 20 miles away.

Exactly, very confusing.

I understand this as if you have a Network configuration but no Network?

Please explain...
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Sry, scrap that....

Hmmm, and will these users never use Network resources?

If so, then why bother with putting them on the network?

I think I need further clarification...

>>As these laptops never go on the network there is no way of changing the password <<

If I'm hearing (haha - reading) you correctly...
The users can only use the laptops disconnected from any network (no modem or NIC).
Occasionally, they'll forget their password - which raises a concern for you.  Apparently they're part of a domain, but "not", so since there's no network connection, you cannot reset their account in the domain (what good would it do? <rhetorical>).  So how to get past this hurdle?  
If you open the guest account, you're concerned about...what?  That they'll use it, or that if it gets into the hands of someone else, it will be compromised?  You don't want to create a seperate account as this is a security risk...why?  When you say 'people leave which is potentially often' - do you mean your concern becomes that they'll take the laptop and run?

I don't think either of your suggestions would do it.  I think you'd be better off implementing the accounts with a "password never expires", but yet account does expire after say, 90 days.  They would be required to bring it in every 90 days to have you reset it in order to keep it running.  But - if you're concerned about theft - There's not much in wiping a hard drive and starting over, let alone picking up a PCMCI NIC or modem from ebay...

Have I traveled too far down the wrong path here or what?
T-yAuthor Commented:
No they don't ever go on the network *UNLESS* we need to cache their profile.
T-yAuthor Commented:
Sorry I don't seem to have made myself very clear.  Lets try again.

The laptops would not normally go on the network, there is no need to they are generally used for just word processing.  We currently make them bring in the laptop to us, we connect it to the network, they log on, their account is cached - bingo.  Yes we could add them as a local user, but for pool laptops where you could technically have 50/60 people logging on, we can't have 50/60 local users that would be a waste of resources.

The problem with guest account and generic accounts is

a)Someone with enough nounce could do damage and hack.

b)There is no accountability if a generic/guest account is used.  You then get into the realms of Data Protection problems.

The problem of it being stolen is not really an issue, because if they do, they won't need the username and password.

Also bringing the laptops in every 90 days is a huge administration problem, we are talking about 1000+ laptops.  And you'll still have the same problem of the users forgetting to do this getting home and not being able to get onto the laptop.

Maybe we just asking too much.

If i get this right, the user does not have any means to connect to the network, he has to bring the laptop to you for his first log on?

So when you say:
And you'll still have the same problem of the users forgetting to do this getting home and not being able to get onto the laptop.

You mean that the users forget to bring you the laptop to log on?

To cache a profile, yes this is the only way I know of..... Still kinda confused though....

Are we talking about 50 people who all have seperate profiles, storing data on ONE laptop?

A pooled laptop for that many people can not be used to store their data as well? And what do they do when they return the laptop?

I really don't see the security risk on a shared laptop as I don't see 50 users with all their data on the same laptop........

Please correct me if I'm way off....

I, personally, think you're reaching here.  That's a LOT of people to share a laptop...
If accountability is the problem -why not allow them dial-in/network access?  Just drop a policy locally that prevents Internet access, if that's your concern...
T-yAuthor Commented:
Yes we are talking *potentially* 50 people, its pooled laptops from a department so anyone can use the laptop.  You only need two people to use the same laptop before you run into Data Protection problems if they can both acess the same data.

The thing is if they are logging on locally they have to put the data on the laptop.  Yes it gets transferred to a floppy before they can use it back at their desk, but how many 'users' do you know that do good housekeeping and clean up after themselves.

But this still comes back to how do we authenticate that someone is for real without having a cached profile.  Yes generic passwords/accs work but are not the most secure.
Cached Logon Information is written in registry

But that not all of it - to figure out what's really written when doing a cached logon, then save a regfile before doing a cached logon and after doing a cached logon. Probably also something in HKCU and HKUS

If you can find out what to change in a reg-file from HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\... or where ever cached logon writes, then make the reg-fil and send it to the computer 20 miles away from you

It cant be audited by regmon, but maybe placing it in HKLM\Software\Microsoft\Windows\Current Version\Run might help.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

Rich RumbleSecurity SamuraiCommented:
So, you have these LT's joined to  domain or AD., so that is why you need to cache the logons. You want to beable to keep everyones settings and files seperated with permissions, and also have accountability with the event log's so each user should have their own account on the LT's that way you can keep thier files seperate, and the event log's will document who is doing what when.

I say, let them be stand-alone, in a work-group, you can script addding as many users as you want to each laptop, all in the "users" group on the LT's that will lock them down quite a bit, and they will not be able to view each others  my doc's folders etc... When you set the users up on the LT with a script, all the same pass, you can have it place the check mark for "user must change pass at next logon" so that no one can view the others account because the pass will then need to be changed. I'm sure you user's can remember 2 passwords, because if the get a different laptop next week that they haven't signed on to, they will need to use the default pass, then change it to their standard password.

Scripting can be done with the "net user" and "net accounts" commands, by default, change pass at next logon is already turn on i believe.
M$ scripting page has lot's of stuff that can be modifed to do this also:
PAQed - no points refunded (of 250)

Community Support Moderator
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now