Hello people. I am a security analyst from a computer security solution company. I am handling a project where an entreprise of 50 to 100 employee which requires an Active Directory to maintain their staff in the LAN network. So my team and I have deplyoed an active directory for that entreprise and all the PC and laptop have been configured to join the AD. But the problem arises as there will be 2 login option for the users. One being the localhost or localadmin login which they were using before and another one is the AD login option. However some of the users (actually almost 99% of them) are stubborn and don't want to use the AD account because the password complexity is high which requires caps, small, numeric and special characters. So they continue to use their localhost login option to do their daily routine. I need to find a solution for this and I am almost out of ideas while thinking about this. Mty question is, is there any way to force or make the employee to login the AD account everytime they are in office? Hope to get a very good reply for this problem. A solution which would not cost any expenses if possible. Hope to see replies very soon. Thanks guys. Really appreciate your time.


Recommended Answers

All 5 Replies

Hello. There are several ways to handle this. One being is to simply use a group policy object (GPO) to reset the local administrator password for the computers in the domain. If the user's no longer have the local admin password, they will not be able to log on their computers.

Of course, in addition to any technial solution that is implemented, you need to define a corporate/organizational security policy that dictates the the use of the local admin account is prohibited and only allowed to be used under certain conditions.

Aside from changing the password, on Windows 7 computers, the account can be easily disabled as well.

Helo Jorge. Thank you for your wonderful advise. I will try to implement that method and see because not all of the employees are using company's machine. Some of them are using their own. So it will be very wrong if we reset their own computer's password. I will see how it goes and post u if there is anything else. Thank you very much Jorge. Your reply is very meaningful to me. :)

Helo Jorge. I have beenthinking maybe the solution you told might be good for Desktop PC in the office. But how about laptop users who are using company's laptop and they bring back home that particular machine? would they be able to connect to Internet connection at home? Is it possible? Please educate me on this. Or is there any other solution for laptop and mobile devices. As you know B.Y.O.D is increasing nowadays and I am dealing with that kind of situation now in the organization. Hoping for a reply fom you. Thanks Jorge.

Hello Bheeman89,

So the mobile devices generally cause problems for organizations. Some of the organizations that I have dealt with that have stricter policies do well. For example, if you want to allow users to interact with the network using a mobile device, the corporate policy requires that it be done with a company owned laptop. A user that has been issued a laptop has the desktop removed. This ensures that the employee use the laptop while away from the office and routinely bring the mobile device into the network. While the user is away, the user connects to the network via a remote connection such as VPN. Of course, this solution is more expensive but has greater control over the mobile assets.

Now, BYOD is on the increase and organizations have a love/hate relationship with this. They love it because they do not have to purchase devices for the employee. They hate it because they ultimately loose control over the company data. How do you manage this? With laptops, its very difficult because a laptop is a mobile computer. With smart phones and smart tablets (iPAD), its easier because there are moblie device management solutions (MDM) out there, such as Good Technologies. Good provides an app for these types of devices which seperates the personal from the corporate data. When a user want to connect to corporate resources, the user launches the app. The app makes a secure connection back to the corporate network and the user can then access corporate mail, calendar, secure intranet browser, etc.. For this reason, there has been a shift in the direction of using these types of devices over the traditional laptop.

If you continue down the path of laptops, you may be interested in keepin an eye on Windows 8. One of the new features will be to give the ability to have mobile users boot off of a USB stick which creates a secure session back to the corporate office, which is similar to the "Good" MDM solution.

Your question...

would they be able to connect to Internet connection at home? Is it possible?

Yes, mobile users can connect back to the corporate office if you have a remote access infrastructure in place. The most common remote access solution is a type of VPN solution. Windows servers supports VPN as well as other operating systems. There are free open source VPN solutions out there as well as some that you can buy from vendors as an appliance. For really small networks (less than 50 users), there are smaller consumer based devices you can buy for a VPN/firewall solution.

With LAptops on a Domain, the user can still sign into the domain using 'cached user credentials'. So once the user signs into the domain and the profile is created in the Users folder, you can unplug the laptop from the domain, reboot, then at the signon screen you can still auth against the domain because the credentials are remembered.

When in the field, the laptop has no communications to the domain, so if an admin disables an account or resets a PW, this has no impact on the laptop until it returns and plugs back into the domain.

The laptop has to connect to the domain once every 30 days otherwise the computer account goes out of sync with the domain.

I do this all the time for my company's mobile workfoce.

You can also use a Vpn solution like cisco anyconnect that offers a 'start before logon' so that a vpn conenction to the office is established before the GINA so that you auth against the domain over a vpn connection.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.