Hi all,

Just stumbled upon something here at work that totally threw me for a loop. Brought this up to our head SysAdmin, and he told ME to figure it out..lol I thought we had things on pretty good lockdown here until today. We have a domain here at work, lets just call it DOMAIN. All computers and users are joined to DOMAIN with specific passwords for each account.

We have a few laptops here that our salesmen use here and away from the office. So they also have the option (when away from the office) to still log into the computer (but locally on the machine, not to DOMAIN.) For simplicity, we have them using the same password (hey they are in sales). ::)

Long story short... sorry.
I had a sales laptop here, plugged it into our network, logged in locally on the machine, not DOMAIN. I was still however able to access mapped drives on my Domain Controllers via UNC name\share

Isn't this the whole point of having a secured win2k domain? or is it just because of the passwords being the same as they log in locally instead of onto the domain?
Any ideas how I can make them only access the stuff on the domain ONLY when they are logged into the domain? There has to be something else instead of giving them a new local password?

Thanks in advance for help

It'd be easy enough to test your domain security... On one of those laptops running standalone, create a test user ID that does not exist on the domain. Shutdown it down, plug into the LAN, boot and log in to that local account on the laptop and see if you still get access to domain resources. You shouldn't be able to under these conditions.

Well, I think it is just due to the SID for the acct. It is checking that auth on the dc, and letting it pass by.. there has to be something to tighten that up.

For now I just made the laptops have 2 different profiles on startup.

I have to keep looking! Thanks for the insight.

~