Environment: Windows Server 2003 SBS - Windows XP Hi, Users seem to be able to logon without the presence of the DC. I know there is an option somewhere in Domain Security Policy to deny this but cannot remember exactly. Does anyone know how to prevent logon without authentication from the DC? Much appreciated

I think we might be getting confused. Logon to what? Domain user at xp? Do you mean local users? Playing to the angels Les Paul (1915-2009)

Sorry, I'll try and be a bit clearer. Normal circumstances we log onto the domain from XP workstation. However, if I unplug the network cable, the machine will still log on to a domain user account. It creates a temporary local profile for the user. I feel this is a security breach and want to prevent it. It can be done from the DC in Domain Security Policy. I have done it before but am really struggling to find it.

"if I unplug the network cable" "I feel this is a security breach and want to prevent it." How can this be a security breach if they are just logging on with a temp local profile and not connected to the domain? do they have access to domain resources? no can they do local work and still be productive if the server is unavailable? yes How are you defining security?

This post wasnt querying my definition of security. I was asking how to prevent users loging on with a temp. local profile. Clearly no one knows.

Seen lots of misconceptions concerning security. Might want to consider what the results are if you lose your DC. This should address your issue. http://www.howtogeek.com/howto/wind...

I think if the users have already logged onto this machine they will be able to log on again even with out connectivity. It is just using the settings that they already have saved in documents and settings on the computer. If you have a user that has never logged onto this box before they should not be able to login, as they would not be able to be "authenticated" as needed to be via GPO's if I am mistaken and you are still seeing this let me know there might be a different issue. But one other thing you could try refreshing the GPO's so that it has the correct policies in place.