Logon Locally Windows 2000

Posted on 2004-03-25
Last Modified: 2013-12-04

We have a lot of old pool laptops that have been upgraded to windows 2000.  They do not have network cards or modems/cables.  We currently have a situation where people keep forgetting they need to have the laptop put on the network to cache their profile to allow them to log on to it whilst at home.

While we could enable the guest logon this is very insecure.  We have also considered creating a local policy (on each laptop) with a generic password.  As these laptops never go on the network there is no way of changing the password for this generic account on the laptop so raises a security risk when people leave which is potentially often.  How do you all do this?  Surely anyone with pool home laptops must have this problem.

I have a couple of off the wall ideas but I don't think there is anything out there that does it, please tell me if anyone know different.

1.  Have a policy on a floppy disk that has a user account enabled.  Possibly with an expirey password account of 3 attempts.

2.  Have a security token (we do use these for dialling in) that could somehow be authenticated locally.

As I said they are off the wall suggestions but maybe someone has an answer pleeeeeease.


Question by:T-y
  • 4
  • 3
  • 3
  • +3
LVL 67

Expert Comment

ID: 10676020
You said:  
 >>They do not have network cards or modems/cables<<

but then you said:
>>people keep forgetting they need to have the laptop put on the network to cache their profile to allow them to log on <<

Er, how?

Author Comment

ID: 10676059
The latops have to be brought to us, we can set them up on the network.  This is not a problem for people that work in the same office, but not for people that work 20 miles away.


Expert Comment

ID: 10676066
Exactly, very confusing.

I understand this as if you have a Network configuration but no Network?

Please explain...
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.


Expert Comment

ID: 10676075
Sry, scrap that....

Hmmm, and will these users never use Network resources?

If so, then why bother with putting them on the network?

LVL 67

Expert Comment

ID: 10676228
I think I need further clarification...

>>As these laptops never go on the network there is no way of changing the password <<

If I'm hearing (haha - reading) you correctly...
The users can only use the laptops disconnected from any network (no modem or NIC).
Occasionally, they'll forget their password - which raises a concern for you.  Apparently they're part of a domain, but "not", so since there's no network connection, you cannot reset their account in the domain (what good would it do? <rhetorical>).  So how to get past this hurdle?  
If you open the guest account, you're concerned about...what?  That they'll use it, or that if it gets into the hands of someone else, it will be compromised?  You don't want to create a seperate account as this is a security risk...why?  When you say 'people leave which is potentially often' - do you mean your concern becomes that they'll take the laptop and run?

I don't think either of your suggestions would do it.  I think you'd be better off implementing the accounts with a "password never expires", but yet account does expire after say, 90 days.  They would be required to bring it in every 90 days to have you reset it in order to keep it running.  But - if you're concerned about theft - There's not much in wiping a hard drive and starting over, let alone picking up a PCMCI NIC or modem from ebay...

Have I traveled too far down the wrong path here or what?

Author Comment

ID: 10676265
No they don't ever go on the network *UNLESS* we need to cache their profile.

Author Comment

ID: 10676356
Sorry I don't seem to have made myself very clear.  Lets try again.

The laptops would not normally go on the network, there is no need to they are generally used for just word processing.  We currently make them bring in the laptop to us, we connect it to the network, they log on, their account is cached - bingo.  Yes we could add them as a local user, but for pool laptops where you could technically have 50/60 people logging on, we can't have 50/60 local users that would be a waste of resources.

The problem with guest account and generic accounts is

a)Someone with enough nounce could do damage and hack.

b)There is no accountability if a generic/guest account is used.  You then get into the realms of Data Protection problems.

The problem of it being stolen is not really an issue, because if they do, they won't need the username and password.

Also bringing the laptops in every 90 days is a huge administration problem, we are talking about 1000+ laptops.  And you'll still have the same problem of the users forgetting to do this getting home and not being able to get onto the laptop.

Maybe we just asking too much.

Expert Comment

ID: 10676429

If i get this right, the user does not have any means to connect to the network, he has to bring the laptop to you for his first log on?

So when you say:
And you'll still have the same problem of the users forgetting to do this getting home and not being able to get onto the laptop.

You mean that the users forget to bring you the laptop to log on?

To cache a profile, yes this is the only way I know of..... Still kinda confused though....

Are we talking about 50 people who all have seperate profiles, storing data on ONE laptop?

A pooled laptop for that many people can not be used to store their data as well? And what do they do when they return the laptop?

I really don't see the security risk on a shared laptop as I don't see 50 users with all their data on the same laptop........

Please correct me if I'm way off....

LVL 67

Expert Comment

ID: 10676562
I, personally, think you're reaching here.  That's a LOT of people to share a laptop...
If accountability is the problem -why not allow them dial-in/network access?  Just drop a policy locally that prevents Internet access, if that's your concern...

Author Comment

ID: 10676649
Yes we are talking *potentially* 50 people, its pooled laptops from a department so anyone can use the laptop.  You only need two people to use the same laptop before you run into Data Protection problems if they can both acess the same data.

The thing is if they are logging on locally they have to put the data on the laptop.  Yes it gets transferred to a floppy before they can use it back at their desk, but how many 'users' do you know that do good housekeeping and clean up after themselves.

But this still comes back to how do we authenticate that someone is for real without having a cached profile.  Yes generic passwords/accs work but are not the most secure.
LVL 12

Expert Comment

ID: 10681215
Cached Logon Information is written in registry

But that not all of it - to figure out what's really written when doing a cached logon, then save a regfile before doing a cached logon and after doing a cached logon. Probably also something in HKCU and HKUS

If you can find out what to change in a reg-file from HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\... or where ever cached logon writes, then make the reg-fil and send it to the computer 20 miles away from you

It cant be audited by regmon, but maybe placing it in HKLM\Software\Microsoft\Windows\Current Version\Run might help.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

LVL 38

Expert Comment

by:Rich Rumble
ID: 10698315
So, you have these LT's joined to  domain or AD., so that is why you need to cache the logons. You want to beable to keep everyones settings and files seperated with permissions, and also have accountability with the event log's so each user should have their own account on the LT's that way you can keep thier files seperate, and the event log's will document who is doing what when.

I say, let them be stand-alone, in a work-group, you can script addding as many users as you want to each laptop, all in the "users" group on the LT's that will lock them down quite a bit, and they will not be able to view each others  my doc's folders etc... When you set the users up on the LT with a script, all the same pass, you can have it place the check mark for "user must change pass at next logon" so that no one can view the others account because the pass will then need to be changed. I'm sure you user's can remember 2 passwords, because if the get a different laptop next week that they haven't signed on to, they will need to use the default pass, then change it to their standard password.

Scripting can be done with the "net user" and "net accounts" commands, by default, change pass at next logon is already turn on i believe.
M$ scripting page has lot's of stuff that can be modifed to do this also:

Accepted Solution

CetusMOD earned 0 total points
ID: 11468861
PAQed - no points refunded (of 250)

Community Support Moderator

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Admin File Share Access 9 84
Secure coding guides/standards for Cobol programming 10 304
Can't copy file to system32 folder permissons issue 5 325
Endpoint security products 4 58
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now