RE: [ActiveDir] forcing a logoff

[Creamer, Mark]

I was thinking about the agent but I expect we’re probably a long way off…   <mc> -----Original Message----- From: marcus [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 8:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] forcing a logoff   We’ve been looking into that stuff, too.� You looking at the Cisco agent stuff or the 802.1x stuff?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, January 20, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] forcing a logoff   Yep, I understand. The problem is I need the logon script to run to get any of that accomplished.   Meanwhile, I’ve been reading up on some of the new network admission control stuff Cisco’s been working on. Sounds like a great concept.   <mc> -----Original Message----- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] forcing a logoff   When we had a similar project, the intention was not so much to prevent "the user" from accessing network resources. IThe objective was to turn off unpatched/vulnerable systems that do not conform to the corporate standard. For example, you want computers that don't have the latest AV or are not RPC-DCOM-protected turned off from the network. These computers don't NEED anyone to be logged into them with any domain credentials before they become infected and start spreading. Needless to say, the project was still-born :(     Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   From: Creamer, Mark Sent: Tue 1/20/2004 5:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] forcing a logoff > 2. Win2K and later (I have no NT 4) has cached credentials, so a user could unplug, log in, replug and > thereby bypass the logon script   But they still wouldn't have access to anything network based.  Those cached credentials will only get them on their local machine.   >>> I would think they would simply be prompted for user name and password, at which time they would again have access to the resource. My point was this process avoids the logon script.   Thanks for the 802.1x tip - I'll look into that. List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/