controlling what computers a user can log on to

  • Thread starter Thread starter djc
  • Start date Start date
D

djc

in a users properties in ADUC, there is the 'log on to' button where you can
control what computer a user can log on to:

what types of log on does this apply to? all? just local? all interactive?
does it also include remote connections via SMB resource shares?

I have not had to use the feature but it came up and I'm curious.
 
That is a legacy setting that remains since Windows NT. Within an Active
Directory Environment you can take use of Group Policies and the settings
Allow Logon Locally and Deny Logon Locally
 
I always though it was only for interactive logon but another user tried it
for access to shares and it also worked which I verified meaning that if I
was not logged onto a computer name specified in my user account properties
I was denied access to domain shares. Not maybe you wonder how I could logon
to a computer that was not in my account properties. Such could be a non
domain computer where I was trying to access domain shares from knowing
credentials for a domain account. Typically these days ipsec would be used
to do that.

Steve
 
Hi Chris,

Please correct me if I'm wrong, but my understanding of this option was
that the "Log On To" attribute in a user object restricts that account
to only log on to those systems (NetBIOS names only) which is a right
set at one location to restrict access to a limited set of systems.

The GPO you're talking about, in order to have the same effect would
need to be applied to all of the systems you don't want that account to
have access to (or explicitly have access to), correct?

I'm thinking they are two different approaches to accomplish the same
goal. I really like the "Log On To" ability and I regularly use it to
restrict Service Accounts to a single system. This also provides a
rather primitive form of system accounting and ties that account to the
system(s) listed therein which also allows for convienient reporting of
the relationship through tools like CSVDE.

Brad Turner, MIIS MVP
 
oddly enough I now have a use for this feature and I learned that it does
not apply to 'outbound' SMB connections, which I realize I was not real
clear in asking about before. In other words, I could only interactively log
onto the specified machine(s), *but* once logged on I *could* still access
external file shares without restriction, assuming of course I had
appropriate share and ntfs permissions. I was hoping I would only be able to
access the machine(s) specified in the 'log on to' account property. I am
looking to isolate a user to only use/access a particular machine with the
following exceptions: they will need to connect to a SQL server database via
Enterprise Manager and/or Visual Studio, as well as connect to the internet
via our LAN/Proxy. More specifically the user will be connecting remotely
via VPN, then RDP'ing to a particular desktop. I need to 'sandbox' this user
to only use this machine to review a development project. The exceptions
again are that this machine needs to connect to a database server on the LAN
and the internet.

I know NTFS alone could do the job but it would require significantly more
administrative effort in this case. The 'log on to' sounded like a one stop
shop to handle everything... oh well.
 
Back
Top