Logon without DC

Microsoft Windows server 2003
October 11, 2009 at 11:03:10
Specs: SBS, Intel Pentium 4, 1GB
Environment: Windows Server 2003 SBS - Windows XP


Users seem to be able to logon without the presence of the DC. I know there is an option somewhere in Domain Security Policy to deny this but cannot remember exactly.

Does anyone know how to prevent logon without authentication from the DC?

Much appreciated

See More: Logon without DC

Report •

October 11, 2009 at 15:53:36
I think we might be getting confused.

Logon to what? Domain user at xp? Do you mean local users?

Playing to the angels
Les Paul (1915-2009)

Report •

October 13, 2009 at 11:26:27
Sorry, I'll try and be a bit clearer.

Normal circumstances we log onto the domain from XP workstation.

However, if I unplug the network cable, the machine will still log on to a domain user account. It creates a temporary local profile for the user.

I feel this is a security breach and want to prevent it. It can be done from the DC in Domain Security Policy. I have done it before but am really struggling to find it.

Report •

October 13, 2009 at 19:33:44
"if I unplug the network cable"

"I feel this is a security breach and want to prevent it."

How can this be a security breach if they are just logging on with a temp local profile and not connected to the domain?

do they have access to domain resources? no
can they do local work and still be productive if the server is unavailable? yes

How are you defining security?

Report •

Related Solutions

October 14, 2009 at 12:01:12
This post wasnt querying my definition of security.

I was asking how to prevent users loging on with a temp. local profile.

Clearly no one knows.

Report •

October 14, 2009 at 12:27:58
Seen lots of misconceptions concerning security. Might want to consider what the results are if you lose your DC.

This should address your issue.


Report •

October 14, 2009 at 12:28:54
I think if the users have already logged onto this machine they will be able to log on again even with out connectivity. It is just using the settings that they already have saved in documents and settings on the computer. If you have a user that has never logged onto this box before they should not be able to login, as they would not be able to be "authenticated" as needed to be via GPO's if I am mistaken and you are still seeing this let me know there might be a different issue. But one other thing you could try refreshing the GPO's so that it has the correct policies in place.

Report •

October 16, 2009 at 11:25:49
To prevent logon when the Domain Controller is not present, enter Domain Security Policy.

Under Local Policies, select Security Options.
Change - Interactive logon: Number of previous logons in cache to '0'.

Users now cannot logon without the presence of a DC.

Report •

Ask Question