Re: Stopping some accounts from logging on
From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 08/03/05
- Next message: Ivor van der Merwe: "Access to My Documents"
- Previous message: Georg: "Run As... admin account locked"
- In reply to: Jim Watts: "Stopping some accounts from logging on"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 3 Aug 2005 11:32:30 -0400
This article has the tip you need:
http://www.windowsitpro.com/Article/ArticleID/20902/20902.html?Ad=1
The LOGOFF utility that it references (NT4) is already in Windows XP.
Create an empty text file in the Netlogon directory of the server with the filename
<username>.<computername> (example: bobd.workstation3) And then create/modify the domain logon script, using the example cited in the above article. It should work the same way in XP as it did in NT4. Create one file for each computer/user combination that you want allowed to logon.
-- Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security Win 95/98/Me/XP Tweaks and Fixes http://www.dougknox.com -------------------------------- Per user Group Policy Restrictions for XP Home and XP Pro http://www.dougknox.com/xp/utils/xp_securityconsole.htm -------------------------------- Please reply only to the newsgroup so all may benefit. Unsolicited e-mail is not answered. "Jim Watts" <j.watts@news.postalias> wrote in message news:%23agdhpDmFHA.4000@TK2MSFTNGP12.phx.gbl... > This might be a very simple question, but I think I need some advice. > > We have 5000+ XP workstations in our AD. On SOME of them, we want to have > people log on with a shared account that has NO password (I know, not secure > etc, but Group Policy does configure this account to run a different shell > etc). On the rest of the systems, this account should NOT be able to log on. > > I though I could solve this simply by taking the account in question out of > the Domain Users group (and specifically allow it on the systems we do want > it to work on obviously), under the mistaken belief that only Domain Users > could log onto AD member systems. However this isn't the case, as by default > (it appears) 'Authenticated Users' is placed into the local Users group, > and the Users group has rights to log on which mean anyone who can > authenticated can log on. > > So the question is, how can I allow the account to log on to some > workstations but not others? > > I thought I could use a GPO to set 'Deny Logon Locally' for this account, > but sadly that overwrites any other entries in the 'Deny Logon Locally' > setting (like ASPNET, Support_xxx etc) so that's no good. I also thought > that I could change the 'Log on Locally' so that it is 'Domain Users' rather > than 'Users', but then local service accounts won't work etc. > > Any suggestions gratefully received. > -- > Jim Watts, > Information Systems Services > University of Southampton > >
- Next message: Ivor van der Merwe: "Access to My Documents"
- Previous message: Georg: "Run As... admin account locked"
- In reply to: Jim Watts: "Stopping some accounts from logging on"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
