Re: Stop Certain user accounts logging onto pc??

From: Colin Nash [MVP] (x_at_x)
Date: 07/03/04 

Date: Fri, 2 Jul 2004 19:14:18 -0400

Umm you can do it from there... just put that account into the "Deny Logon
Locally" list and enable that policy.

"Gryzor" <Gryzor@discussions.microsoft.com> wrote in message
news:5AA60C69-CE42-47D1-B079-B96CCA540398@microsoft.com...
> Roger
>
> sry, yes its XP pro.
>
> i've played around with the setting in the local computer policy, no joy.
> All i want ot do is make sure a certain DOMAIN account cannot logon to a
> machine..
>
> "Roger Abell" wrote:
>
>> I assume this is XP Pro.
>> You can take one of two approaches, both done by
>> managing User Rights in the Local Security Policy.
>> The rights are the right to Log on locally and the one
>> to Deny local logon.
>> An account in the logon right, directly or via a group
>> listed there, that is not also denied by listing (directly
>> or indirectly) in the Deny logon policy will be able to
>> log in.
>> If you are concerned about network login, such as for
>> access to shares, then those two (grant and deny) policies
>> for Network logon work similarly.
>> Now, the most simple approach is to just list the accounts
>> that should be disallowed in the Deny policy.
>> The other approach is to take control over the granting
>> policy. By default, this is granted to Users group, and, by
>> default in a machine joined to a domain the Users group
>> has as members Domain Users, Authenticated Users, and
>> Interactive. So, you either need to remove Users from the
>> policy that grants logon, replacing it with all accounts that
>> should have login (I usually define a custom group called
>> LocalLogin for this, add it to the right, and then control the
>> membership of LocalLogin), or, you can alter the members
>> in the Users group, removing the three items I just mentioned
>> and replacing these with all accounts that should be able to
>> login.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server System: Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>> "Gryzor" <Gryzor@discussions.microsoft.com> wrote in message
>> news:BDB546BB-937C-47FA-93FD-98B6F3AE6376@microsoft.com...
>> > hi
>> >
>> > is there any way to stop certain domain accounts logging onto an xp
>> machine.
>> >
>> > I want to allow normal user accounts to log onto the machine, but block
>> > a
>> few "shared logins" i have.
>> >
>> >
>> > thanks!!
>> >
>> >
>>
>>
>>

Relevant Pages

  • RE: Limit number of Logon attempts
    ... I understand that you want to adjust the logon attempts through Group ... we have an Account Lockout policy ...
    (microsoft.public.windows.server.sbs)
  • Re: cannot logon locally
    ... For a machine in a domain use a GPO that will apply ... >>equivalent) and then set a deny of full control for the ... >>local policy to remove the obstructing setting. ... >>> not let me logon locally. ...
    (microsoft.public.windows.group_policy)
  • Re: you do not have permission to log on locally
    ... I am having the same problem, I can't logon with the local machine account ... I am unable to remove the administrators account from the "deny local log ". ... the efffective policy setting still remains. ... > Use domain policy to override whatever security settings are causing ...
    (microsoft.public.win2000.security)
  • Re: Cant login with new user account
    ... Are you trying to logon to a DC? ... there's a policy there that denies access to logon interactively ... I've created a new account in Active ... > - Group Policy Creator Owners ...
    (microsoft.public.windows.server.active_directory)
  • Re: Protect user accounts
    ... Enable strong passwords in the password policy, ... this helps to protect in that way if some one take over an account the ... users in OU1 to computers in OU2 and the other way around. ... > failed logon attemps. ...
    (microsoft.public.windows.server.active_directory)