That cable trick...
The little :censored: have worked out how to hack logging onto our machines. They start logging on, then pull the network lead out during 'applying computer settings'. They then get full local admin permissions on the machine, and somehow get pointed to the unfiltered proxy address we use.
We are trying to setup some sort of scheduled task to point to a local batch file on each machine that just logs the user off, if say a mapped drive is not found...
Has anyone else got this or found away to stop the little :censored:, as the profile loads okay, so the logon continues.
There's a GPO that lets you completly prevent log on if there's no network present.
Have you tried the group policy option:
Computer Config > Administrative Templates > System > User Profiles : Log Users off when Roaming profile fails
Computer Config > Administrative Templates > System > User Profiles : Wait for Remote User Profile
They may be able to help.
We use mandatory profiles, (which load quickly) and seem to be loading okay. Its more the permissions and gp settings and logon scripts for the users which don't work correctly (including our redirected desktop/startmenu).
I have the logoff if no profile present working okay, but the gits are waiting till the profile has just about loaded.
Will look into the logoff if no network present gp, but I am not sure it will apply properly.
Of you could take the gateway out of the DHCP options. Takes away 99.99999999999999% of the reasons for wanting to be on as a local admin. I cant remember the last time we had a kid try to "hack" the computers/bypass security/etc.
Even with proxies and filtering kids could still use something like this...
I solved this problem before by requiring the machine policies to be complete before allowing logon, waiting for the user's profile always, and disallowing access based on a roaming profile or cached login. Don't remember the exact GPO sections but I'm sure you can find them.
Thanks for all the help chaps..
We eventually came to a solution, using a registry hack, (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n...)
and adding an entry to a local bat file which we copy across the network at machine startup.
This reg hack also helps clean out the intel tray icon, and any other sh1t you don't need!
The batch file contains a simple check for a file existing on a mapped network drive at logon, (which if they pull the plug) doesnt get mapped, so the batch file calls logoff...
Can't wait for this to pan out!