+ Post New Thread
Results 1 to 10 of 10
Windows Thread, Kids Avoiding Logon Policy Settings in Technical; We've just found out kids in the school are avoiding logon settings and getting unrestricted internet acess by logging onto ...
  1. #1

    Join Date
    Jun 2009
    Posts
    372
    Thank Post
    14
    Thanked 3 Times in 3 Posts
    Rep Power
    20

    Kids Avoiding Logon Policy Settings

    We've just found out kids in the school are avoiding logon settings and getting unrestricted internet acess by logging onto the computer so a local profile is created, logging off then unplugging the network cable, logging on to be told their roaming profile is not available but instead a local profile will be used. Then once logged on the cable goes back in and suddenly they can load up IE and have access to the connections tab where they can see the proxy settings, can create and delete files on the C: drive but fortunately not delete existing files.

    So has anyone come across this before and can suggest the best way to combat it? We are thinknig have delprof to delete all local profiles at log off, setting policy refresh to something like every 1 or 2 minutes, or some kind of thing to stop logon if no active network connection is detected?

    Any suggestiong would be welcomed!

  2. #2


    Join Date
    Jul 2007
    Location
    Rural heck
    Posts
    2,662
    Thank Post
    120
    Thanked 434 Times in 353 Posts
    Rep Power
    126

  3. #3

    Join Date
    Apr 2009
    Posts
    123
    Thank Post
    10
    Thanked 5 Times in 5 Posts
    Rep Power
    0
    Usually, a GPO setting on the roaming profiles section to stop the logon process if an error occurs will work how you want it.

    In the machine policy section under user administrative...system...user profiles...
    'Log users off when roaming profile fails'

  4. #4

    Join Date
    Feb 2006
    Location
    Dorset/Hants
    Posts
    87
    Thank Post
    2
    Thanked 13 Times in 10 Posts
    Rep Power
    20
    Quote Originally Posted by farquea View Post
    We've just found out kids in the school are avoiding logon settings and getting unrestricted internet acess by logging onto the computer so a local profile is created
    Do you use mandatory profiles ?

    It's going back along way but I'm sure that if you have a mandatory profile NTUser.man inside a folder whose name ends in .man, then a user cannot logon without their profile being read from the network.

    Ah, found a reference, look for super-mandatory profiles - [ame="http://en.wikipedia.org/wiki/Roaming_user_profile"]link[/ame].

    tim

  5. #5
    Jon
    Jon is offline
    Jon's Avatar
    Join Date
    May 2006
    Location
    Norfolk
    Posts
    324
    Thank Post
    32
    Thanked 51 Times in 41 Posts
    Rep Power
    22
    On your router block access to port 80 for everything other than you poxy server.

    That way if your proxy server is bypassed no internet access will be allowed.

  6. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,755
    Thank Post
    825
    Thanked 1,661 Times in 1,446 Posts
    Blog Entries
    11
    Rep Power
    441
    Quote Originally Posted by Jon View Post
    On your router block access to port 80 for everything other than you poxy server.

    That way if your proxy server is bypassed no internet access will be allowed.
    I agree this is the way forward. Also we use a script to detect if the group policy has been bypassed. The group policy settings dont always work depending on when the cable is unplugged.

    We set a wallpaper for all users. All the script does is it runs from the local machine and looks to see if the wallpaper settings have been set in the registry.

  7. #7

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,335
    Thank Post
    367
    Thanked 619 Times in 506 Posts
    Rep Power
    155
    Quote Originally Posted by FN-GM View Post
    I agree this is the way forward. Also we use a script to detect if the group policy has been bypassed. The group policy settings dont always work depending on when the cable is unplugged.

    We set a wallpaper for all users. All the script does is it runs from the local machine and looks to see if the wallpaper settings have been set in the registry.
    Why don't you just see if the proxy settings have been set?
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings]


    Problem with Jon idea is what happens if the proxy server dies? How would staff, for example, get onto the internet to download the exams results. It is however, the only 100% sure they'll go though the proxy server.

  8. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,755
    Thank Post
    825
    Thanked 1,661 Times in 1,446 Posts
    Blog Entries
    11
    Rep Power
    441
    Quote Originally Posted by matt40k View Post
    Why don't you just see if the proxy settings have been set?
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings]


    Problem with Jon idea is what happens if the proxy server dies? How would staff, for example, get onto the internet to download the exams results. It is however, the only 100% sure they'll go though the proxy server.
    The proxy settings also lie in the defualt profile. So it wouldn't work on our system.

    On our system if the proxy server goes down no user gets internet access.

  9. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,228
    Thank Post
    239
    Thanked 1,562 Times in 1,246 Posts
    Rep Power
    339
    I agree with ICTSM's method. This'll stop them using this technique, if you use roaming profiles of course

  10. #10

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144
    Also if you set the 'delete profiles at logoff' option (can't tell you where it is off hand) and make sure that the number of cached logins to be saved is set to zero on the security settings, this will stop them from logging in without the network cable plugged in even if they have just logged in a few seconds ago, they'll be no details saved.

    It's an old trick that students have been using for years in the schools I've worked in. We have a super mandatory profile on our new network (going live from september) which won't let them login unless the network is connected. Changing to mandatory profiles is surprisingly easy and I recommend it for anyone running a vanilla type windows network.

    Mike.

SHARE:
+ Post New Thread

Similar Threads

  1. office settings installing every logon
    By alonebfg in forum Windows
    Replies: 4
    Last Post: 14th November 2007, 02:39 PM
  2. Replies: 2
    Last Post: 12th November 2007, 04:52 PM
  3. Proxy settings not there on second logon.
    By robinhood in forum Learning Network Manager
    Replies: 7
    Last Post: 6th October 2007, 11:14 AM
  4. Outlook Express settings on domain logon
    By Samson in forum Windows
    Replies: 6
    Last Post: 20th March 2007, 08:40 AM
  5. Power Settings on Logon Screen
    By mattpant in forum Windows
    Replies: 19
    Last Post: 15th September 2005, 07:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •