- Differences between Windows XP Pro and Windows 2000 Pro Account Logon Time Restriction and Locked workstation
- Posted by ttpringle@gmail.com on November 18th, 2005
Our Network Environment: Windows Server 2003 Active Directory domain
with a mix of Windows 2000 Pro and Windows XP Pro client computers.
All end users have domain accounts, no local client computer accounts.
Our Domain account/Desktop Computer Policy: Any end-user whose
computer is primarily a desktop is restricted from logging in or
accessing network resources between 12 am and 5:00 am. This restriction
is enforced in the configuration of the particular person's Domain
Account. Success and Failure is logged for all events on the Domain
Controllers (Account Logon/Logoff, Object Access, etc). Each desktop
has network drives mapped to shares on the domain controllers.
Our Problem: Most of these desktop users will "lock" their computers at
night instead of logging out.
For each end-user with a Windows XP desktop who locks his/her computer,
Time restriction events are logged all night. The pattern for each end
user is, 12 time restriction events are logged in 1 minute, all is
quiet for that particular end-user up to 3 hours, then another 12 time
restriction events are logged, repeat until 5:00 am passes. Group
Policy processing maybe?
For each end-user with a Windows 2000 desktop who locks his/her
computer, no Time restriction events are logged. I assume these
machines also run through normal Group Policy processing at this time
too. Why no log noise like Windows XP machines?
I would like to know what process on Windows XP desktops is causing
these events to be logged, so I can obliterate it at night and don't
have to sift through the resulting events the next morning in my quest
for actual, useful information (like when a user is really, actually,
physically at his or her computer attempting to log in or access server
resources late at night!).
Thanks for any assistance you can provide.
- Posted by chrispsg on November 21st, 2005
You can force the pc to log off the current user when logon hour
restrictions are met via group policy. This should resolve the events you
are recieving.
psg
<ttpringle@gmail.com> wrote in message
news:1132360028.968580.303700@g49g2000cwa.googlegr oups.com...
- Posted by Todd on November 23rd, 2005
Are you talking about the items "Network security: Force logoff when
logon hours expire" and "Microsoft network server: Disconnect clients
when logon hours expire"?
They don't work despite my using them (even to this day) and I am
guessing this is because the user account has locked and password
protected his/her computer.
So still stuck with my old question, as we migrate more and more users
from Windows 2000 to Windows XP, I am learning that more and more users
lock their computers at night and generate the worthless errors
mentioned above. What is different about Windows XP that it generates
these Logon Time restriction events on our domain controllers. Doesn't
anyone monitor their DC logs and notice these too?
Another person mentioned using the winexit.scr. Can't do that either,
as we already have a group policy that activates the logon.scr with
password protection on all network computers after 15 minutes of
inactivity.
- XP Home logon problem - hidden dialog - Administrator login - account restriction (Microsoft Windows) by Fred Marshall
- windows could not log you on because of an account restriction (Microsoft Windows) by Vijai-novice
- Differences between Windows XP Pro and Windows 2000 Pro RE: Account Logon Time Restriction and Locked workstation (Security & Administration) by Todd Pringle
- differences between windows 2000 and 2003 (Windows Server) by Jagan Mohan Reddy
- Connecting a Windows NT 4.0 Workstation to Windows 2000 Domain without adding the workstation to the Domain (Windows NT) by Sp!d3rm@n
