PaulDotCom mailing list archives
Re: local windows accounts
From: "Ty Purcell" <TPurcell () ffin com>
Date: Fri, 20 May 2011 15:49:06 -0500
Matthew, Preventing users from creating local accounts: 1. Don't make their domain user accounts members of the local administrators group. 2. I believe with Group Policy you can create accounts and set the passwords on the new account or existing accounts. (I haven't tested this though..) If they really need a local admin level account, a compromise might be to give them a highly restricted local admin account with which they can install software, change settings. - but no internet, LAN resources, etc... Ty ----- Original Message ----- From: Matthew Perry [mailto:mlperry () gmail com] Sent: Friday, May 20, 2011 01:06 PM To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> Subject: Re: [Pauldotcom] local windows accounts "personal preference and credential compartmentalization" was the answer I got. My issue is getting management to back me right now. Also is there a group policy setting to keep users from creating local accounts? On Friday, May 20, 2011, Joel Esler <joel.esler () me com> wrote:
Ask them why. Then report back. Most likely they don't need what they are asking. On May 20, 2011, at 1:24 PM, Matthew Perry wrote:I have a few users who insist that they need a local account on their domain laptops. I am trying to explain to them that their password will cache and allow them to login while not on the network. It also looks like local accounts bypass a lot of our group policy rules that we have put in place and I do not want to have to manage local policies as well. Can anyone give me some more good reasons why it is bad to use a local account instead of a domain account. Thanks! -- Matthew Perry _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Matthew Perry _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- local windows accounts Matthew Perry (May 20)
- Re: local windows accounts ad^2 (May 20)
- Re: local windows accounts Joel Esler (May 20)
- Re: local windows accounts Matthew Perry (May 20)
- Re: local windows accounts craig bowser (May 20)
- Re: local windows accounts craig bowser (May 20)
- Re: local windows accounts Matthew Perry (May 20)
- Re: local windows accounts Ben Jackson (May 21)
- Re: local windows accounts Michael Lubinski (May 21)
- Re: local windows accounts Ralph Durkee (May 21)
- Re: local windows accounts Matthew Perry (May 20)
- Re: local windows accounts Ty Purcell (May 20)
- Re: local windows accounts Brian Erdelyi (May 21)