How to prevent users from logging on the local machine?

  • Thread starter Thread starter John Park
  • Start date Start date
J

John Park

I set up an active directory environment in my network. I prefer network
users to logon their machines with domain credentials rather than local
machines' credentials. What can I do to achieve this goal.
 
The simple way to do this is to only have one active local account, the
local administrator. If none of your users know the password to this account
they will be unable to log on locally.
 
John Park said:
I set up an active directory environment in my network. I prefer network
users to logon their machines with domain credentials rather than local
machines' credentials. What can I do to achieve this goal.
Click to expand...

As Simon said, give them a Domain account only.

Then they have no choice.

Also, do not make their Domain account an Admin
or even a Power User so they cannot create other
accounts on their machien (or just educate them if
you trust them to be admins.)
[/QUOTE]
 
I am not sure you have explained or maybe I am reading into it.
A user can log onto a machine with cached credentials, this happens when
there is no domain controller, like people who use laptops. The same
permissions will apply as they have when they logon when the domain
controller can be contacted.
Other than that keep the accounts on the local machine password protected
and don't let them have it.
If you are talking about keeping users off the system even when the dc is
not able to be contacted, I first ask why? Then would say to look up the reg
keys that can prevent cached logons.
 
BCE said:
I am not sure you have explained or maybe I am reading into it.
A user can log onto a machine with cached credentials, this happens when
there is no domain controller, like people who use laptops. The same
permissions will apply as they have when they logon when the domain
controller can be contacted.
Click to expand...

Same permissions OR LESS. Access to domain
resources may not be available.

But cached credentials can also be disabled if that
is part of the question.
Other than that keep the accounts on the local machine password protected
and don't let them have it.
If you are talking about keeping users off the system even when the dc is
not able to be contacted, I first ask why? Then would say to look up the reg
keys that can prevent cached logons.
Click to expand...
 
I set up an active directory environment in my network. I prefer network
users to logon their machines with domain credentials rather than local
machines' credentials. What can I do to achieve this goal.
Click to expand...

If the users don't have accounts on the local machine, then they
won't be able to log in locally anyway. If, by some chance, users
happen to have administrators rights to the computer, you need to get
rid of that on the local computer because you can give them rights on
the domain without locally admin rights.
Also, you can edit or create a policy for the users. Then, go to
the Computer Configuration section, then the Security section, then
Local Policies, and then User Rights Assignment. There, you will see
a policy for 'Deny Logon Locally'. You can use that to deny groups or
users that you don't want to log on locally. I hope this helps.
 
John,

Just a little late....

Anyway, there are several suggestions to your question that will do the
trick. This is what I would do:

1) make sure that all of your computer account objects are in an
Organizational Unit ( OU ) and not in the default COMPUTERS Container

2) create a GPO that makes use of the Restricted Groups GPO. Essentially,
what this does is makes sure that there will be only one group - or however
many that you, as the Sys Admin, specify - that will be a member of the
computer's local Administrators group and that no one else will be able to
randomly add his or her local or domain user account to that group......just
be careful when you do this as most people new to this will forget to
include the Domain Admins security group....

2a) by default, the has three local groups of interest: the Users group, the
Power Users group and the Administrators group. By default, the Domain
Users domain security group is a member of the computers local Users
group....this is a good thing. So, if you are running WIN2000 Pro and / or
WinXP Pro then the domain security group Domain Users will be a member of
the local Users group on each and every WIN2000 Pro and WinXP Pro system.
This should be all that you need. Know that the user needs to be a member
of the Power Users local group - at least - to add printers......

3) Create a GPO and link it to the OU that contains the Computer Account
Objects that accomplishes the 'deny local logon'.

This would pretty much lock things down for you. If you really want to
lock down the environment ( remove "Start | Run", not allow access to the
Display Properties, etc. ) then you might want to look at the 'How to lock
down a Terminal Server' MSKB Article. While it is for a Terminal Server
environment, you use the exact same procedure for workstations ( afterall,
isn't a Terminal Server, in essence, nothing more than a big fat
workstation? )....you would just have all of the computer account objects in
that OU ( which you already do according to my 'plan' ) instead of the one
( the server on which you are running TS ). Also, you are using Loopback -
probably in replace mode.

HTH,


--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Back
Top