Re: Create restricted user account, 2003 server AD domain

From: Jim Fischer (jfischer_link5809{at}now.here.com)
Date: 11/12/05

  • Next message: Roger Abell [MVP]: "Re: Write Attributes and Write Extended Attributes" 
    Date: Sat, 12 Nov 2005 00:32:07 -0600

    Doh! I just figured out one of the missing puzzle pieces. Changes made to
    the security policy are not necessarily applied immediately. (Note to self:
    Some factors that affect the current GP settings: GP updates are pushed only
    periodically, ~90 minutes; logout/logon; reboot.)

    After I applied the domain security policy "Deny log on locally" to user
    'abc', I ran the program 'gpupdate.exe' on the active directory server AND
    on all of the XP hosts in the domain to manually update the group policy
    settings on those machies. That did the trick. User 'abc' can no longer log
    on to the XP hosts in the domain.

    What I'm trying to figure out now is how to apply the domain security policy
    "Deny log on locally" to the members of a security group. Here's what I
    tried:

    * I removed the domain security policy "Deny log on locally" from the user
    'abc'.

    * I ran 'gpupdate' on the domain controller and the XP hosts in the domain
    and verified that I could once again log on to the XP hosts as user 'abc'.

    * On the domain controller I created a security group 'def' and added the
    user 'abc' to that group.

    * On the domain controller I applied the domain security policy "Deny log on
    locally" to group 'def'.

    * I ran 'gpupdate' on the domain controller and the XP hosts in the domain.

    When I tried logging on to an XP host as user 'abc', I was successful.
    <sigh> So what am I missing here??? Why can user 'abc' still log on to the
    XP hosts in the domain when user 'abc' is a member of the security group
    'def', and security group 'def' has the domain security policy "Deny log on
    locally" applied to it???

    Jim

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:%23ORxORo5FHA.4036@TK2MSFTNGP11.phx.gbl...
    >I think you are over complicating things. If you do not want a user to
    >logon to a computer then make sure the user is not included in the user
    >right to logon locally on the computer offering the share. By default
    >domain controllers are configured that way - regular domain users can not
    >logon to them. Open Local Security Policy [secpol.msc] and go to local
    >policies/user rights and modify logon locally to suit your needs. For
    >instance remove users/everyone and just leave administrators and possibly
    >other privileged groups you want to logon locally. Keep in mind that the
    >deny logon locally user right overrides the logon locally user right so be
    >very careful in populating that list and never include users/everyone as
    >administrators are also members of users and everyone groups. --- Steve
    >
    >
    > "Jim Fischer" <jfischer_link5809{at}now.here.com> wrote in message
    > news:eCnKunn5FHA.2524@TK2MSFTNGP10.phx.gbl...
    >> FYI: I'm working with Windows Server 2003 Standard, configured as an
    >> active directory domain controller.
    >>
    >> On the server I have a shared folder 'abc'. I created a user
    >> non-administrator 'abcuser' and gave that user read-only privileges on
    >> the shared folder 'abc'. I deleted the 'Everyone' permissions on the
    >> shared folder 'abc'.
    >>
    >> The goal now is to configure user 'abcuser' so that it has the following
    >> two properties:
    >>
    >> 1) XP hosts in the domain can specify the user account 'abcuser' (and
    >> abcuser's password) for authentication purposes to mount the shared
    >> folder 'abc' as a network drive, e.g.,
    >>
    >> > net use /PERSISTENT:NO
    >> > net use Q: \\server.local\abc * /USER:abcuser
    >> Type the password for \\server.local\abc: <password><enter>
    >> The command completed successfully.
    >> ...
    >> > net use Q: /DELETE
    >> Q: was deleted successfully.
    >>
    >> 2) User account 'abcuser' CAN NOT be used for local logons (i.e., a user
    >> typing in a user-id and password at a keyboard) on any machine in the
    >> domain, including the server.
    >>
    >> How is this type of user configuration done? I've been playing with this
    >> for a while now (e.g., Administrator Tools > Domain Security Policy, the
    >> Default GPO setup, specifying the specific machine that user 'abcuser'
    >> can log on to, etc.) but I can't get it to work. Thanks for any
    >> pointers...
    >>
    >> --
    >> Jim
    >>
    >> To reply by email, remove "link" and change "now.here" to "yahoo"
    >> jfischer_link5809{at}now.here.com
    >>
    >>
    >
    >

  • Next message: Roger Abell [MVP]: "Re: Write Attributes and Write Extended Attributes"