We need to not challenge selected users on our desktops (Windows). In Group Policy, we have a "challenge users" set to "all users except" and have a group name of ".\SecurID" (that is, local on the desktop). This is because we can't have a domain group with IDs on a local desktop. This is working, however, we cannot prevent changes to the local group. in an attempt to address this, we are now setting the local group value on the domain server in Group Policy. However, while Group Policy will reset the entries to what we desire, someone (hacker) who has access to the local group policy can add entries for privileged IDs and then log in without using SecurID. I need to have at least two entries which do not need SecurID authentication (one local ID, one domain ID).
There are two related questions: 1) is there a way to lock down entries in the desktop's local group table. 2) is there a way to move the the "group name" to the domain controller and enter a value such as ".\generaluser" or a similar entry which is not in active directory (that is, local to the PC).
