Stopping some accounts from logging on

From: Jim Watts (j.watts_at_news.postalias)
Date: 08/03/05

• Next message: Lawrence Garvin: "Re: SUS/WSUS & Software Restriction Policies"
• Previous message: Torgeir Bakken \(MVP\): "Re: Access to My Documents"
• Next in thread: Doug Knox MS-MVP: "Re: Stopping some accounts from logging on"
• Reply: Doug Knox MS-MVP: "Re: Stopping some accounts from logging on"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 3 Aug 2005 15:48:13 +0100

This might be a very simple question, but I think I need some advice.

We have 5000+ XP workstations in our AD. On SOME of them, we want to have
people log on with a shared account that has NO password (I know, not secure
etc, but Group Policy does configure this account to run a different shell
etc). On the rest of the systems, this account should NOT be able to log on.

I though I could solve this simply by taking the account in question out of
the Domain Users group (and specifically allow it on the systems we do want
it to work on obviously), under the mistaken belief that only Domain Users
could log onto AD member systems. However this isn't the case, as by default
(it appears) 'Authenticated Users' is placed into the local Users group,
and the Users group has rights to log on which mean anyone who can
authenticated can log on.

So the question is, how can I allow the account to log on to some
workstations but not others?

I thought I could use a GPO to set 'Deny Logon Locally' for this account,
but sadly that overwrites any other entries in the 'Deny Logon Locally'
setting (like ASPNET, Support_xxx etc) so that's no good. I also thought
that I could change the 'Log on Locally' so that it is 'Domain Users' rather
than 'Users', but then local service accounts won't work etc.

Any suggestions gratefully received.

-- 
Jim Watts,
Information Systems Services
University of Southampton

---

• Next message: Lawrence Garvin: "Re: SUS/WSUS & Software Restriction Policies"
• Previous message: Torgeir Bakken \(MVP\): "Re: Access to My Documents"
• Next in thread: Doug Knox MS-MVP: "Re: Stopping some accounts from logging on"
• Reply: Doug Knox MS-MVP: "Re: Stopping some accounts from logging on"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: "DropMyRights" slows IE browsing to a crawl ... > I'm not sure why using RunAs wouldn't work just as well. ... > you run the application under a reduced set of permissions. ... > Just pick an account that exists that has the reduced permissions that you ... like Guest or one you create that is in the restricted Users group. ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: adding oneself to another user group ... help? ... You use your administrator account to runas. ... > within the admin group (with spyware doctor you have to be admin to even ... >>> You should add yourself to the Users or Power Users group. ... (microsoft.public.windowsxp.help_and_support) Re: Changing Membership Type ... as that user but their membership was Guest. ... the Power Users group does not exist on an XP Home ... Using the User Account applet ... (microsoft.public.windowsxp.security_admin) Re: OWA distorted ... group contains 'Domain Users', Authenticated Users', and the special ... 'INTERACTIVE' user account. ... domain users group? ... (microsoft.public.exchange.admin) Re: Stopping some accounts from logging on ... The LOGOFF utility that it references is already in Windows XP. ... > people log on with a shared account that has NO password (I know, ... > the Domain Users group (and specifically allow it on the systems we do want ... > it to work on obviously), under the mistaken belief that only Domain Users ... (microsoft.public.windowsxp.security_admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windowsxp.security_admin  > 2005-08