Re: Disabling Interactive Logon Against Security Group
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Mon, 14 Aug 2006 21:30:33 -0700
PS.
You may be wondering by now why we have not suggested using the
contol in the account properties where one may specify a list of machines
an account may log in to. Basically, that capability relies on NetBIOS,
and I have seen where this is not effective if login is tried on a machine
where full NetBT support is not available/healthy. Hence that would
not provide a reliable route, but a route, configured per account.
"Sam Gaw" <SamGaw@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:05F10108-F297-4A34-A47B-564859EA0151@xxxxxxxxxxxxxxxx
Rgar,
Point taken; I'm being to accept that this is going to be my only solution
to the problem even though I'd of preferred a method of approaching this
from
a user account basis rather than machine basis.
Appreciate your time & help, and everyone else's on this.
--
Regards,
Sam Gaw
http://www.samgaw.co.uk
"Roger Abell [MVP]" wrote:
"Sam Gaw" <SamGaw@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DEC97BE9-A4C5-464E-9755-536F208A43BF@xxxxxxxxxxxxxxxx
Thanks for the replies, to be honest though I was hoping to avoid this
approach which is why I wasn't quite sure of the initial reply.
Essentially this is to secure half a dozen guest accounts on domain of
50,000+ so that they may access a web app so to modify the security
policies
this way is in my opinion a little drastic and why I original phrased
my
question "disable interactive logon privilages against specific OU/User
Groups rather than against computers?"
I haven't had a chance yet but when I return to the office tomorrow I
was
thinking of creating the accounts in the same sort of manner as I would
a
service account given that other than SQL it's possible to prevent
interactive logons with DSAs.
Has anyone tried this before? I had assumed that this would have been
fairly
common practice in anywhere that followed least-privilaged designs.
Hi Sam,
I hope you catch some other replies, with good methods.
Where I follow least privilege this is a total non-issue, as the machines
are not left at default with Domain Users and Authenticated Users in
Users and with logon rights granted to Users. IOW, in that deployment
if the account is not added to a group that does grant login to a set of
machines they cannot. For your current issue, problem solved.
Roger
"Roger Abell [MVP]" wrote:
Paul has shown you where to locate that policy.
There are however some potential issues to consider.
If you set this in a GPO then the list that is to be denied that you
provide in that GPO is the one, complete list used for that user
right setting on all machines subject to that GPO. In other words,
if this setting is being used on some machines, the value provided
in the GPO will replace what exists on those machines. If you look,
this is used in a default on XP clients for a couple/few accounts, so
those would no longer be denied after the GPO is applied if your
GPO just says to deny your CustomWebUser group.
One route to avoid this is to cause a machine local group to be
defined on each machine "DenyLocalLogin" and placed into the
machine's user right to deny interactive login. Then, you can
control the membership in this machine local group using the
restricted group capability from your GPO. Similar to the issue
with the user right, if you do not want to have your GPO take
control over the complete and total membership in the machine
local group then you can use technique outlined in this KB
http://support.microsoft.com/kb/810076
"Sam Gaw" <SamGaw@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:52FDD057-DCD7-4A21-AD50-3F3DA71CB191@xxxxxxxxxxxxxxxx
Svyatoslav,
Thanks for getting back to me so quickly; I'd thought about that
myself
but
the problem is I can't actually find the policy anywhere. Any ideas?
--
Regards,
Sam Gaw
http://www.samgaw.co.uk
"S. Pidgorny <MVP>" wrote:
Add the group containing to the "Deny log on locally" policy on the
domain
level?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Sam Gaw" <SamGaw@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AFEC2F64-F0D4-42B1-A8AF-E461165911D4@xxxxxxxxxxxxxxxx
I was wondering if anybody knew of a way to disable interactive
logon
privilages against specific OU/User Groups rather than against
computers?
Essentially I want to be able to provide domain accounts to users
to
access
a web app published on the WAN but prevent them from accessing
the
domain
via
any of our computers/interactive logon.
Any help or advice would be much appreciated.
--
Regards,
Sam Gaw
http://www.samgaw.co.uk
.
- References:
- Re: Disabling Interactive Logon Against Security Group
- From: Roger Abell [MVP]
- Re: Disabling Interactive Logon Against Security Group
- From: Sam Gaw
- Re: Disabling Interactive Logon Against Security Group
- From: Roger Abell [MVP]
- Re: Disabling Interactive Logon Against Security Group
- From: Sam Gaw
- Re: Disabling Interactive Logon Against Security Group
- Prev by Date: Re: Disabling Interactive Logon Against Security Group
- Next by Date: Re: Auto Disable passwords?
- Previous by thread: Re: Disabling Interactive Logon Against Security Group
- Next by thread: Re: Wild Tangent
- Index(es):
Relevant Pages
|
