Security on Laptops - Credential Caching.. local admin not needed?

Experts,

i need to secure alot of holes in my network.. i would like to take away the admin privileges of everyone that has a laptop.. but im afraid that if they were on the road they would not be able to logon to the machines..

we have an AD infrastructure...

i am a bit unclear with the credential caching feature... does this let the user login 0-10 times before it will lock them out completely? what if they are local admin? what if they are not? regardless they have to be in the office sometime soon.. we also have satellite offices with no DC's.. how would the authentication work to those machines?

basically i want to lock down all the machines as best as possible.. prevent unauthorized software installations... this is not a problem for machines that stay in the office.. but concerns me about remote users..

im going to set it at
10 logons cached
password age would be 42 days through GP.

maybe i should just lock down the machines through GP then put them as local admin?

whats the benefits if any to having a user as a local admin

sorry if it sounds like im rambling .. my head is spinning =]
xidxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
If you are trying to secure your environment, users should not have administrator privliges. Cached credentials set to 10 logons cached will cache credentials of 10 different users.

HTH

Toni
0
xidxAuthor Commented:
So.. the cached credentials isn't 10 Logins total per user per say.. but it will cache the credentials of 10 individuals from the domain that logged into the machine, then allow them an unlimited number of logins to the machine when it is off the domain? obviously when they connect to access network resources if their passwords have expired it wont work.. but this would only happen every 42 days, and someone has some explaining to do if they are not in the office atleast once every month and a half.

what about satellite offices and expiring passwords/credentials?

can anyone else verify the above statement?
0
Toni UranjekConsultant/TrainerCommented:
In which case would your users have ability to access your network and not domain controllers at the same time? Do your branch offices connect to your domain network?

More info: http://www.windowsitpro.com/articles/print.cfm?articleid=46777
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

xidxAuthor Commented:
the brand offices have a VPN into our main offices..

i cant think of any time they wouldn't be able to connect to our network and not a DC through the same network in a different office.
0
Brian PiercePhotographerCommented:
I can confirm that by default 10 logins are cached, that is ten different sets of logins for 10 different users. The whole idea of this is that once someone had logged onto the domain and been varified by the domain controller, they will be able to log on to the laptop and access the local resources using their domain user account. This means that users do not need to have domain username/passwords when on the domain and loca username/passwords when not connected to the domain.

You can restrict the n umber of cached credentials with a group policy. If you make it zero then cached credentials are no longer allowed

for more info see http://support.microsoft.com/kb/913485
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xidxAuthor Commented:
how would i update credentials for remote users? they would have to VPN in before logging in.. right?

any other easy easy way? maybe a run as once dialed into the vpn?

i wouldnt want to force users to HAVE to vpn in before booting up the machine if they are not at the office.
0
Toni UranjekConsultant/TrainerCommented:
What kind of VPN do you use? If you would connect through MS VPN, users would be autheticated. AFAIK, "Run as" will not do because Secondary Logon Service should not cache credentials, but it can use previously cached credentials if you use /savedcred switch from command line.
0
xidxAuthor Commented:
we use an MS RAS solution through the server that ties into AD

i was just curious about the credentials being updated rather then authenticated..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.