Jump to content

restricting domain workstation logons

Guest wyocowboy

By Guest wyocowboy
in Windows 2000 Workstation

 Share

Recommended Posts

Guest wyocowboy

Guest wyocowboy

Posted
Posted

A customer wants to limit who can logon to certain machines to a handful of

authorized users and prevent all other users in the company from logging onto

these 3 workstations. I know that I can go into every user's profile and

limit which machine(s) a given user can logon to, but I would rather not have

to edit all those profiles, unless there is no other way.

 

Unfortunately, there does not seem to be any provision for doing this

through Client Computers properties. Any ideas?

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Pegasus \(MVP\)

Guest Pegasus \(MVP\)

Posted
Posted

Re: restricting domain workstation logons

 

 

"wyocowboy" <wyocowboy@discussions.microsoft.com> wrote in message

news:6702828D-2FDB-451E-BA8F-1C6099226763@microsoft.com...

>A customer wants to limit who can logon to certain machines to a handful of

> authorized users and prevent all other users in the company from logging

> onto

> these 3 workstations. I know that I can go into every user's profile and

> limit which machine(s) a given user can logon to, but I would rather not

> have

> to edit all those profiles, unless there is no other way.

>

> Unfortunately, there does not seem to be any provision for doing this

> through Client Computers properties. Any ideas?

 

A brutal but highly effective method would be to modify your

domain logon script like so:

 

@echo off

find "xx%ComputerName%yy" \\YourServer\SomeShare\PCList.txt > nul

if %ErrorLevel%==0 (

find "xx%UserName%yy" \\YourServer\SomeShare\UserList.txt > nul

if %ErrorLevel% GTR 0 \\YourServer\Tools\shutdown.exe /r

)

{Remaining commands go here}

 

The first command checks if this is a restricted PC.

The second command checks if this is an authorised user.

The third command conditionally reboots the PC.

 

You need to do four things to make it happen:

- Modify the logon script.

- Compile a list of restricted PCs. Surround each name with "xx" and "yy".

- Compile a list of authorised users. Surround each name with "xx" and "yy".

- Download one of the many copies of shutdown.exe and leave it on your

server.

Guest Tim Jackson

Guest Tim Jackson

Posted
Posted

Re: restricting domain workstation logons

 

"wyocowboy" <wyocowboy@discussions.microsoft.com> wrote in message

news:6702828D-2FDB-451E-BA8F-1C6099226763@microsoft.com...

>A customer wants to limit who can logon to certain machines to a handful of

> authorized users and prevent all other users in the company from logging

> onto

> these 3 workstations. I know that I can go into every user's profile and

> limit which machine(s) a given user can logon to, but I would rather not

> have

> to edit all those profiles, unless there is no other way.

>

> Unfortunately, there does not seem to be any provision for doing this

> through Client Computers properties. Any ideas?

 

Are you in a domain?

 

If yes then you could;

 

1) Create a domain group whose members are allowed to logon to these 3

workstations

2) On each of the 3 workstations open the Local Security Policy MMC snapin,

open the "Log on locally" entry under "Local Policies", "User Rights

Assignment", add the group created earlier and then deselect the "Users"

group, click OK to save changes and reboot workstations.

 

This will limit logons to these workstations to Administrators, Power Users,

Backup Operators and members of the group created earlier. You could

further restrict the groups allowed access but wouldn't recommend removing

Administrators.

Guest wyocowboy2

Guest wyocowboy2

Posted
Posted

Re: restricting domain workstation logons

 

 

 

"Tim Jackson" wrote:

> "wyocowboy" <wyocowboy@discussions.microsoft.com> wrote in message

> news:6702828D-2FDB-451E-BA8F-1C6099226763@microsoft.com...

> >A customer wants to limit who can logon to certain machines to a handful of

> > authorized users and prevent all other users in the company from logging

> > onto

> > these 3 workstations. I know that I can go into every user's profile and

> > limit which machine(s) a given user can logon to, but I would rather not

> > have

> > to edit all those profiles, unless there is no other way.

> >

> > Unfortunately, there does not seem to be any provision for doing this

> > through Client Computers properties. Any ideas?

>

> Are you in a domain?

>

> If yes then you could;

>

> 1) Create a domain group whose members are allowed to logon to these 3

> workstations

> 2) On each of the 3 workstations open the Local Security Policy MMC snapin,

> open the "Log on locally" entry under "Local Policies", "User Rights

> Assignment", add the group created earlier and then deselect the "Users"

> group, click OK to save changes and reboot workstations.

>

> This will limit logons to these workstations to Administrators, Power Users,

> Backup Operators and members of the group created earlier. You could

> further restrict the groups allowed access but wouldn't recommend removing

> Administrators.

 

Yes, it is a domain, but what you suggested did not work. None of the domain

users have local accounts on these machines to start with, and when logging

onto a domain, the local policy settings are overridden by the domain policy

settings anyways. However, I try it anyways..

 

When I went to the "log on locally" portion of the local security snap-in, I

couldn't get through the process as described. At the time, I was logged on

as a domain admin. When I first tried to add the group, it offered me the

choice of the local machine or the 'domain.local' so I selected the domain

from the pull down. It then came back and said it could not find the

server/domain, even though I could browse the server at the time. I closed

out of it and then went back in and this time the only choice offered was the

local machine, and of course the group does not exist on the local machine.

 

Since the group did not exist on the local machine, it wouldn't let me add

it, so I created it locally and after creating my user locally (it insisted

on adding a user) I added it to the logon permit list and unchecked all

except administrator. At the end of all that, it still lets any domain user

logon to the domain from that machine.

>

>

>

Guest Tim Jackson

Guest Tim Jackson

Posted
Posted

Re: restricting domain workstation logons

 

"wyocowboy2" <wyocowboy2@discussions.microsoft.com> wrote in message

news:F4A50ED3-2088-4D06-85F8-BA1FDDBB0B51@microsoft.com...

>

>

> "Tim Jackson" wrote:

>

>> "wyocowboy" <wyocowboy@discussions.microsoft.com> wrote in message

>> news:6702828D-2FDB-451E-BA8F-1C6099226763@microsoft.com...

>> >A customer wants to limit who can logon to certain machines to a handful

>> >of

>> > authorized users and prevent all other users in the company from

>> > logging

>> > onto

>> > these 3 workstations. I know that I can go into every user's profile

>> > and

>> > limit which machine(s) a given user can logon to, but I would rather

>> > not

>> > have

>> > to edit all those profiles, unless there is no other way.

>> >

>> > Unfortunately, there does not seem to be any provision for doing this

>> > through Client Computers properties. Any ideas?

>>

>> Are you in a domain?

>>

>> If yes then you could;

>>

>> 1) Create a domain group whose members are allowed to logon to these 3

>> workstations

>> 2) On each of the 3 workstations open the Local Security Policy MMC

>> snapin,

>> open the "Log on locally" entry under "Local Policies", "User Rights

>> Assignment", add the group created earlier and then deselect the "Users"

>> group, click OK to save changes and reboot workstations.

>>

>> This will limit logons to these workstations to Administrators, Power

>> Users,

>> Backup Operators and members of the group created earlier. You could

>> further restrict the groups allowed access but wouldn't recommend

>> removing

>> Administrators.

>

> Yes, it is a domain, but what you suggested did not work. None of the

> domain

> users have local accounts on these machines to start with, and when

> logging

> onto a domain, the local policy settings are overridden by the domain

> policy

> settings anyways. However, I try it anyways..

>

> When I went to the "log on locally" portion of the local security snap-in,

> I

> couldn't get through the process as described. At the time, I was logged

> on

> as a domain admin. When I first tried to add the group, it offered me the

> choice of the local machine or the 'domain.local' so I selected the domain

> from the pull down. It then came back and said it could not find the

> server/domain, even though I could browse the server at the time. I closed

> out of it and then went back in and this time the only choice offered was

> the

> local machine, and of course the group does not exist on the local

> machine.

>

> Since the group did not exist on the local machine, it wouldn't let me add

> it, so I created it locally and after creating my user locally (it

> insisted

> on adding a user) I added it to the logon permit list and unchecked all

> except administrator. At the end of all that, it still lets any domain

> user

> logon to the domain from that machine.

>>

>>

>>

 

Sounds like you are having problems talking to the domain if it says it

cannot find the server/domain. I would suggest checking that the

workstation is still a member of the domain and that your domain admin

really is an administrator account and is logging on to the domain okay.

 

This method does work, I have used it myself, recently.

 Share
Go to topic listing
×
×
  • Create New...