Re: Restricting network Logins

From: Jeff G (youcant_at_mailme.here.com)
Date: 12/14/04 

Date: Tue, 14 Dec 2004 14:57:33 -0500

Hey Joe.

If I understand this post, it's not a matter of the problem user knowing
others' passwords or accessing without a password, it's that he can logon
wherever he pleases with his valid user credentials. I had the same problem
at one time, might be able to help since I fixed the my blasted users...

Since you're on a 2003 domain, I'll assume your workstations are either
W2000 or XP.

First though, there may be an easy solution - IF you've only got one problem
user (I had many!), and that user is logging onto the domain, AND your
servers and workstations are running the NetBIOS protocol, the AD Users and
Computers has an old left-over from the Windows NT days - "Logon To" on the
user property Profile tab. You can just add that particular computers'
NetBIOS name to the "Logon To..." list for that user, and bingo, your
problem user can only logon to that machine (using his username/password
anyway). (see caveats)

Since you haven't worked with any Group Policies as yet, there is another
"simple" way to manage this problem manually without NetBIOS. To understand
WHY your users can logon to all machines though, you have to understand what
happens when a workstation is added to the domain: there is a list of users
automatically added to the user groups on the local machine when it is added
to the domain - including administrators and authenticated users. You can
access these lists in the Computer Management app, under Local Users and
Groups. If you remove the entries there on each computer you wish to
restrict access to (except administrators, of course), NO ONE can logon to
the machine without an admin first implicitly adding them to the
workstation.

I believe all of these settings may also be maintained within a policy.

Now - PLEASE NOTE that this workaround comes with a few caveats, and I'm not
responsible for a bad solution to your problem ;-)
It is, however, working in my environment...

Caveats:

1. You will have to go through the machines you removed access from and
specifically grant each user you wish to allow access manually by adding
their user name to the Users or Power Users groups - and for every user
account you add from then on you will have to manually add to this
"restricted" computer. This has been the biggest headache so far for the
solution.

2. I have always done this first since I stumbled onto it, and I'm also
trying to quit relying on NetBIOS, as I'm sure one of the properly trained
people in this newsgroup are going to tell you to do. You MIGHT have to
recreate user profiles on the machine, I would definitely experiment before
ruining an end-users documents and settings for them...

3. If you aren't restricting your users from admin-level access, they'll
eventually figure out how to put themselves back in the machine anyway and
you'll be wasting your time without a group policy at the domain controller
level.

Sorry for the long post, and hope it helps in your situation.
Jeff

"JoeMag" <JoeMag@community.nospam> wrote in message
news:e3ogyPU4EHA.3908@TK2MSFTNGP12.phx.gbl...
> We have a 2003 domain, I have looked into the policy editor, but I really
> have never used it before and do not know much about it, might you know
> where I can find the setting I am looking for?
>
>
> Thanks
>
> Joe
>
>
> "Colin T" <ColinT@discussions.microsoft.com> wrote in message
> news:20CD39C7-217B-47BF-8C8B-BAA720C56251@microsoft.com...
> > "JoeMag" wrote:
> >
> > >
> > >
> > > I need to find a way to only allow one Network Loing to login to a
given
> PC
> > > on a per PC basis, We have someone in the office who likes to login to
> PC's
> > > other than his own, and I need to figure out a way of just locking his
> > > account from logging into certain PC's but not his own, I don't car if
I
> > > have to implement this on every PC, I just don't know how to go about
it
> > >
> > > Thanks in advance for your help
> > >
> > >
> > > Joe
> > >
> > >
> > > Hi Joe,
> >
> > Is this network peer to peer or do you have a domain ? If it's peer to
> peer,
> > simply enable passwords on the user's accounts on each PC. If you are on
a
> > domain, depending on whether it's NT4 or Win2000/2003 Active Directory,
> you
> > can either restrict the user by using User Manager for Domains (NT4) or
> Group
> > Policy (AD).
> >
> > Regards Colin.
>
>

Relevant Pages

  • Re: Cached Logons
    ... The problem with this is that logon scripts don't run. ... Is there a way to force Windows to check for a DC before logging in with cached passwords? ... Are the workstations Windows XP? ...
    (microsoft.public.windows.server.active_directory)
  • RE: Event ID 529
    ... The source is clear - workstations that are not part of my ... SBS2003 domain share the same local network (it's a shared local network in ... This kind of issue may be caused by Application logon such as while Outlook ... is connecting to Exchange Server, or this is an automated dictionary attack ...
    (microsoft.public.windows.server.sbs)
  • Re: Domain name at logon differs from the name of the domain
    ... In DNS manager right click on the zone, and look at "Allow Dynamic Updates" ... > but attempting to logon to it brings the error "no domain ... >>NetBIOS domain name, as this is part of SAM logon name. ... >>Microsoft MVP Windows Server - Active Directory ...
    (microsoft.public.win2000.active_directory)
  • Re: How do manage your workstations?
    ... For the most part these functions require a local administrator rights. ... Therefore I have to logoff the regular user, then I logon as local administrator so I can update programs or add-in devices. ... However, if there are hundreds of workstations involved, it’s really time consuming! ... Maybe there is remote installation system that push program updates to the workstation and that system logons on as domain admin. ...
    (microsoft.public.windowsxp.general)
  • Re: extremely odd - Logon User Names are Missing
    ... administrator to log on either - gives exactly the same ... Passwords are correct so that's not the ... >> can't seem to logon. ... >> do from here or what settings to try and change. ...
    (microsoft.public.windowsxp.general)