question

Gyanesh23-3786 avatar image
Gyanesh23-3786 asked ·

Logon script on AD working with domain admin but not working for standard users

Hi All,

I am working on a cmd script which needs to the change local machine policies when a user who is connected to the domain logs on. I have been able to make it work with domain admins accounts. But it is not working when trying same with standard users. Here is my script:

net accounts /lockoutthreshold:3
net accounts /lockoutduration:30
net accounts /lockoutwindow:30


To make it work without prompt and as administrator, I created a shortcut then I went to Advanced settings tab on it and tick the Run as Administrator checkbox.

Kindly advise if there a way which i could make it work for standard users as well? Like a one command line so that despite a standard user is logging in, it would run the bat file. Or any other way around.

Thanks in advance for your help.

Regards,

Gyanesh

windows-serverwindows-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ManuPhilip avatar image
ManuPhilip answered ·

Hi Gyanesh,

By Design, logon script runs as the logon user and not in elevated mode.

Thanks,
Manu

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Gyanesh23-3786 avatar image
Gyanesh23-3786 answered ·

Hi Manu,

I appreciate your help.

So we cannot run a logon script with elevated privileges on a standard user account? :(

Actually I am trying to achieve the below:

When applying GPO, while user is connected to the domain, policies are working fine but local machine policies do not seem to be changing.

Thus when the user is not connected to domain, GPO are not being applied hence no policies being applied locally.

I want same policies to be applied to the user when he is connected to the domain and also when he is not connected to it(this i believe can be achieved when local policies will be changed to match same as GPO when connected to the domain.)

Regards,
Gyanesh

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
HannahXiong-MSFT answered ·

Hi Gyanesh,

Thank you so much for posting here.

According to our description, we are working on a script to configure the Account Lockout Policy, which would change the local group policy. We would like to make it work for standard domain users.

As we know, domain admins could configure the Account Lockout Policy, while standard users could not. As for the cmd commands, it should run as administrator, and then the command could complete successfully.

As per my understanding and experience, we could configure the group policy of scheduled task as shown below.

14206-task.png

14160-configuration.png

14246-configuration2.png

In my test, the logon script is configured as:

14264-net-accounts.png

Then logon the client with the standard user account. After the scheduled task group policy applied and the scheduled task finished, the account lockout policy changed. And then logon the client with administrator account and check the local group policy, it is showing as below. (In my test, the Lockout duration would not change. I have no idea about this. But the other two settings could change. If possible, we could have a try and see whether it works. )

14185-99.png

14255-999.png

Hope the information is helpful. For any question, please feel free to contact us.

Best regards,
Hannah Xiong



task.png (44.5 KiB)
configuration.png (19.2 KiB)
configuration2.png (10.2 KiB)
net-accounts.png (13.5 KiB)
99.png (78.2 KiB)
999.png (59.1 KiB)
3 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

I am checking how the issue is going, if you still have any questions, please feel free to contact us.

Thank you so much for your time and support.

Best regards,
Hannah Xiong

0 Votes 0 · ·

Hello,

Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?

Thank you so much for your time and support.

Best regards,
Hannah Xiong

0 Votes 0 · ·

Hi Hannah,

I really appreciate your response and valuable help you provided.

I have been able to make the script change local policies for the domain admins users(but not for standard users) when they log onto the machine, but still when they are not connected to the domain controller, the policies do not work :(.

The user can try to login with a wrong password more than the account threshold policy is set to, but it does not lock him out. It allows to continuously try passwords till he gets the correct one, hence allowing brute force attempts in case the laptop containing corporate or personal information is lost/stolen.

Regards,
Gyanesh

0 Votes 0 · ·
Gyanesh23-3786 avatar image
Gyanesh23-3786 answered ·

Hi Hannah,

I really appreciate your response and help.

The logon script is still working just for domain admins and not standard users.

For now let's just disregard the part that it is not working for standard users as this not the main objective.

Now the main concern is that despite the logon script changed the local policies for domain admin users, once the laptop is off network the policies are not applied(like in my scenario it is the Account Lock Out policy)

Do you think there a way to mitigate this security issue? (Like to make the group policy work same as it is on network and off the network)

Because the laptop is ''protected'' by group policies till it is connected to the active directory. Once the laptop is off network the group policies are not more being applied (in our particular situation which is the account lockout policy not being applied).

Am still trying to figure out a way out.

Thanks a lot for your help.

Regards,
Gyanesh

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Gyanesh,

You are welcome. Thank you so much for your kindly reply.

How we configured the logon script? Did we configure this logon script policy via Local Group Policy or Group Policy Management? As per my understanding, if we configured this logon script policy via Group Policy management on DC, and the laptop is off domain network, this policy will not be applied.

So to make this account lockout policy being applied, we could try to configure the logon script policy via local group policy.

16395-3.png

For any question, please feel free to contact us.

Best regards,
Hannah Xiong


0 Votes 0 · ·
3.png (34.7 KiB)
Gyanesh23-3786 avatar image
Gyanesh23-3786 answered ·

Hi Hannah,

Yes, I have configured this logon script policy via Group Policy management on DC so that users can be differentiated when they are login in as normally there will be two types of users - Admin and Standard users.

I tried changing the local policy via the logon script i.e. the local policy are changed by the script and kept even the laptop is disconnected from network, but the local policies are only applied to the local users accounts and not to domain users.

I do not know if this is something that is feasible or not but it stands as a security loophole.

Thanks enormously for your help.

Regards,
Gyanesh

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
HannahXiong-MSFT answered ·

Hi Gyanesh,

Thank you so much for your kindly reply.

As we know, there are two types of Group Policies, domain and local. As per domain group policy, it is stored in Domain Controller, based on site, domain and OU. Besides, it can only be used in the Active Directory environment. So as we configured this script policy on DC, it will be only applied when connecting to AD. If the laptop is disconnected from domain network, the policy will not be applied.

Ad per local group policy, it can only be used on this machine. If the computer has been added to the domain, but not logged in to the domain, the local group policy is effective. We mentioned that the local policies are only applied to the local users accounts but not to domain users. I am not sure whether it is related to this specific policy as the logon script is just working for domain admins and not standard users.

But according to my test in my lab, I configured a local group policy, and it was applied to both local users account and domain users including the domain admin account. If possible, we could configure another local policy to have a test.

Thank you so much for your understanding and support.


Best regards,
Hannah Xiong

2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Gyanesh,

In my last response, I mentioned the test in my lab. Here is the more detailed information.

Logon the computer with domain admin account and I configured the local group policy as shown below.
17094-1.png

Then check the setting I just configured. The setting is applied as shown below.

17027-2.png

If logging on the computer with standard domain users or local users, the setting is also applied as shown above. Hope the information is helpful. For any question, please feel free to contact us. Thanks.

Best regards,
Hannah Xiong


0 Votes 0 · ·
1.png (37.5 KiB)
2.png (12.7 KiB)

Hi Gyanesh,

We are checking in to see whether the provided information is helpful. Please do not hesitate to contact us if there is anything else we could do for you.

Thanks for your support.

Best regards,
Hannah Xiong

0 Votes 0 · ·
KlausKoehler-3578 avatar image
KlausKoehler-3578 answered ·

I really never had your issue in 30 years working with Windows. If you have a GPO, you'll have that setting whether currently connected to the domain or not. Your user interface should also show the lock for that setting.


Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.