"THAT'S NOT AN OPTION!", I would have loved to slave the HDD and pulled the files and then imaged but the HDD was encrypted, needless to say CEO wins. No matter how many times we tell people to "save your files to the server" someone inevitable does not in my case I had a CEO that HAD to use their personal laptop to do work, had work files, personal files, pictures and who knows what else on that laptop and somehow managed to hose things up to where he could not log on.įirst words out of my mouth were did you save the work files to the server? I got an "I dont know if they are all there" next words out of my mouth were "I'm going to have to rebuild your laptop, did you have these files backup up? The process will erase the hard drive. G33kp0w3r I think I can agree with you about not having the "back door" entry but at the same time, we are the same people that go looking for those back doors to make life easier and if they were not there we would be cursing up a storm that we couldn't do it.
Thanks for the catch on the restart Lizhlbg, I thought I had that in there already but yep, your right it was missing. It's not a neat solution to the problem, but I've come to find that people eventually get tired of road blocks and can be "persuaded" into submission LOL GPOs that have password policies configured and which are linked to OUs will affect only local user accounts for machines in that OU, so users who try to use their old local user accounts will have to frequently change their passwords and one would expect they would get tired of changing or bypassing the restrictions. įinally, configure a password policy for your or a OU so that users using local user accounts have to enter a long (like the max 255), complex password and they have to change every day and enforce password history using its maximum value to prevent them from re-using their old passwords. You might push a script to remote all local user accounts at startup. Log On Locally approach should be tested on a test network beforehandĪnother approach could be to turn off USB ports and CD/DVD drives from the BIOS along with adding an admin only password if your BIOS supports such. So one solution could be to build a GPO to Disable all the local user accounts from each workstation that has them and maybe use the GPO deny logon locally (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment) to prevent anyone except domain users from logging on to desktop computers targeted by such policy. Personally my thoughts were if you cant get in then its probably a good time for a rebuild anyway, but looking at the M$ as if I were on the inside, I guess it comes down to "Your damned if you do and Your damned if you don't" what if you take that "flaw" out and there is an computer owner change or an administrator change that does not have the information to get into an administrator level account, they they are forced to rebuild/reimage the device for something that could have been fixed easily if they had a way to gain entry, the "flaw" was designed to have an OS disk that not many people are just carrying around.
%2Bby%2BMAZTERIZE.png "sticky password 7")
What we see as a flaw like this security nuance, has some at M$ looking at it as. Some of the responses I've seen have had me go hmmmmm. Its a good question? I've been doing beta tests for M$ products for some time and questions just like yours I've brought up along with other beta testers.
0 kommentar(er)
