cancel
Showing results for 
Search instead for 
Did you mean: 

Host Checker to check remote machines for domain membership? How?

Highlighted
Not applicable

Host Checker to check remote machines for domain membership? How?

Hello all!

I am happy to join th Juniper SSL community.

I have a question on Host Checker. How do i best create a policy that will check if a given machine is a member of a company domain? We want to create different roles for people who login with company issues machines (domain members) and people who login from non-compny issued machines.

How do i this when it comes to Host Checker policy? Do i look for specific registry key on the remote machines? If so, what am i looking for? Let's say the domain name is ... "acmegizmo"

Btw, i am running IVE 6.3.

Thank you!

7 REPLIES 7
Occasional Contributor

Re: Host Checker to check remote machines for domain membership? How?

Hey,

Best would be to use client certificates but if you settle for checking the registry you can read the domain name from

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain

It contains the FQDN as a string, e.g. "redmond.corp.microsoft.com"

Might be other places as well but this is the one I use.

/mk

Highlighted
Super Contributor

Re: Host Checker to check remote machines for domain membership? How?

I recommend using "Domain" or "NV Domain" located in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" instead. This should always be the machines FQDN (goldlnk.rootlnka.net).

Highlighted
Occasional Contributor

Re: Host Checker to check remote machines for domain membership? How?

if you want make sure the user logged in is a domain user, not a local user, check:

For XP: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName

For Vista: HKEY_CURRENT_USER\Volatile Environment\USERDOMAIN

Highlighted
Frequent Contributor

Re: Host Checker to check remote machines for domain membership? How?

I use this HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\DomainName

But I only check to make sure its a domain computer. I don't check users.

Highlighted
Occasional Contributor

Re: Host Checker to check remote machines for domain membership? How?

How about HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachePrimaryDomain
Highlighted
Not applicable

Re: Host Checker to check remote machines for domain membership? How?

Whats to stop a user from manually adding this to the registry if they are not part of the domain?

Highlighted
Respected Contributor

Re: Host Checker to check remote machines for domain membership? How?

nothing, unless there are policies on the pc that do not allow registry modification.

if you don't show reason strings, users will not know the failure reason