By default, Windows stores 10 user profiles on the device. They are saved on the device indefinitely. So the login servers shouldn't be the problem.
I know that but I'm sure there's a catch somewhere somehow. I've never done IT work, so I was hoping someone with DC experience could shed some light. Of course, an employee can go abroad for a long time and not be connected to AD, but I doubt it's permanent, ofc %UserProfile% remains permanently on the machine regardless, but does it also "comply" regardless..? I want more details on what is the most basic config to achieve this. Furthermore, we could potentially mock the AD network responses when an account is deployed on the machine and release it, similar to KMS solutions here.
u want to trick your machine to think is log in DC but your really not and have the security policies that apply when your log in to DC?
I can apply the policies myself as a user, to my understanding. The issue is applications categorize you as a "consumer", "general public" and dont respect the policies. The point I was trying to make by writing all that bs up there was that even if GP Rules don't have this writing on the rules, they still don't respect your configuration once they see youre a localuser/username So, what does chrome check for to know if the user is part of DC or not? it could be as simple as a reg path. But the issue goes beyond chrome. BTW Device management is something google offers, with Google Apps for biz, its on the Admin Console.
Think of it this way, in business you don't respect the rules, you get sued. The business could be handling state secrets, nuclear weapons and whatever, when you select no telemetry option, telemetry goes away. At my old job, the rule that was pushed thru was only port 443 is allowed as an outgoing or incoming connection, period. I tried every trick in the book to no avail, the only way out was to tunnel out thru port 443 or proxy... etc. Here's some examples you can try, on whatever windows super enterprise .. as a local user. -Try creating a firewall rule to block all ipv6 connections, monitor the activity and see if svchost or any win exe gives a rats ass about your rule. -Try blocking UDP... you shouldn't be able to resolve ping google.com and yet you do. Try to disable NetBios, you actually can but then weird things you cant explain start happening randomly. -Try disabling ipv6 globally, you can't no matter what, loopback interface still alive and well thru ipv6. Try this in powershell: "Get-NetAdapterBinding -IncludeHidden" I can keep going... Although rules over MMC are taken more seriously, but still svchost dont give a f. Long story short, I just don't have time to dive in to Win Server just for this project. All I need is a 123 buttons to click to: 1. create a Domain, with one or more users (or open?) 2. where user has GOD privileges. 3. Is there anything else needed? to maintain this status over time? Heck, I bet someone has an Azure template ready for this. Ill make a VMDK with a snapshot of this windows server, and start joining from another vm as a user, reverting changes over and over in order to capture/understand all network activity. Even if I suck, we'll still have the VM for our community. And I believe this is worth far more than all the scripts, package removals and tricks that 1/3 of the posts are here about and yet, everything goes back the way it was on the next cumulative update. I'll pay for your AWS expense, just launch an instance and record a video doing it. But deep inside, I fear it should be more difficult than this.
For those who dont know what Im talking about try using some Nirsoft tools like LiveTcpUdpWatch For the next level up try Microsoft Network Monitor 3.4 Wireshark is good but no exe origin information.
As far as I know, you should not be able to fake AD from windows itself - it would be a security issue bigger than the wall of China. But looking at how kms-emulators work, a tunnel with an emulated server or directly hooking kernel functions might be doable. A lot of effort, tough. It's more feasible to use another device (windows server) to set it up. Recently there's been quite some progress on Android and IOS support for managing AD's, it might be the easier path to follow. I've been beating the Enterprise LTSC is less safe on home PC's mantra on this forum for a long time exactly for this reason - no domain joined, ad-secured, enterprise-level av subscription? get f**ked! Even more-so than an up-to-date consumer build, because at the very least, that one has an improved set of mitigations.
Just setup Enterprise 2004 Turn off Cortana, turn off web results, turn off everything. Nothing, bing still there, web results still there 0 fuks given by microsoft
What registry settings did you apply, can you please point me to a link? I picked up this here as an ESD and turned it into ISO without touching anything, all editions are there as default19041.264.200511-0456.VB_RELEASE_SVC_REFRESH_CLIENTENTERPRISE_VOL_X64FRE_EN-US After posting here I setup Win Server 2019 on a VM, joined it, applied GPO and same results for both localuser and domain user.
I setup win Enterprise because Pro 1902 was doing the same thing. Lastly, here's another example, you know the notification for internet connectivity. You connect to Wifi and it always pings microsoft, if it fails "No internet" but internet works fine everywhere. So yes, I've always disabled the rule under Admin Templates/System/Internet Communi.... etc. That warning no internet has always applied, since 1607.