Logon Domain

  • Thread starter Thread starter MC
  • Start date Start date
M

MC

Hi

In our network, there are four options in the logon screen- logon locally to
this computer, domain1, domain2 and domain3. Now, is it possible to to set
up some form of policy to force users to logon to a particular domain.
Basically, I don't want users to have the ability to 'play' with the drop
down menu. We are running a Win 2000 server, Win Pro/ XP environment.

TIA
 
I know of no way to modify the list on the drop down box. What you could do is
configure the "log on locally" user right assignment for each domain or
appropriate Organizational Unit. Remove everyone and users and replace it with
the domain users group for that domain to control what domain they can logon
o. --- Steve
 
microsoft.public.win2000.security news group, Steven Umbach
I know of no way to modify the list on the drop down box. What you could do is
configure the "log on locally" user right assignment for each domain or
appropriate Organizational Unit. Remove everyone and users and replace it with
the domain users group for that domain to control what domain they can logon
o. --- Steve
Click to expand...

You're misunderstanding the logon locally right. That setting controls
the right to logon interactively to a particular computer, has nothing
to do with which domain they can choose in the list. A user logging on
can choose any domain they like from the list, however, they'll only be
able to successfully log on when the choose the domain in which their
user account exists.
 
If the user has accounts in multiple domains and for whatever reason the
administrator wants a particular domain computer to allow logging on to a
particular domain or only members from a particular domain , then configuring
logon locally as I described will accomplish that. --- Steve
 
microsoft.public.win2000.security news group, Steven Umbach
If the user has accounts in multiple domains and for whatever reason the
administrator wants a particular domain computer to allow logging on to a
particular domain or only members from a particular domain , then configuring
logon locally as I described will accomplish that. --- Steve
Click to expand...

No, it won't. Using the logon locally right can certainly be used to
allow only users from a particular domain to log on to a specific
computer, however, the first part of your statement - "the
administrator wants a particular domain computer to allow logging on to
a particular domain" cannot be accomplished by using the log on locally
right. The "or" in your statement implies two distinct actions, one is
possible, the other is not.
 
If there is a domain tree for acme.com. with child domains east.acme.com. and
west.acme.com. and I have a computer in west.acme.com. where I want a regular
user who has accounts in all three domains to be only able to log onto my
computer with their account in west.acme.com. I could configure the logon
locally to allow only domain users from west.acme.com. That should prevent that
user [or others] from logging onto my computer with their account from
east.acme.com or acme.com. That is what I was talking about. --- Steve
 
microsoft.public.win2000.security news group, Steven Umbach
If there is a domain tree for acme.com. with child domains east.acme.com. and
west.acme.com. and I have a computer in west.acme.com. where I want a regular
user who has accounts in all three domains to be only able to log onto my
computer with their account in west.acme.com. I could configure the logon
locally to allow only domain users from west.acme.com. That should prevent that
user [or others] from logging onto my computer with their account from
east.acme.com or acme.com. That is what I was talking about.
Click to expand...

That's fine, and thanks for the clarification. That means that you meant
exactly the same thing with these two statements - "the administrator
wants a particular domain computer to allow logging on to a
particular domain or only members from a particular domain", which is
what I was trying to clarify.
 
I promise I will enroll in a grammar class this fall [I need to learn how to
type also]. --- Steve

Paul Adare said:
microsoft.public.win2000.security news group, Steven Umbach
If there is a domain tree for acme.com. with child domains east.acme.com. and
west.acme.com. and I have a computer in west.acme.com. where I want a regular
user who has accounts in all three domains to be only able to log onto my
computer with their account in west.acme.com. I could configure the logon
locally to allow only domain users from west.acme.com. That should prevent that
user [or others] from logging onto my computer with their account from
east.acme.com or acme.com. That is what I was talking about.
Click to expand...

That's fine, and thanks for the clarification. That means that you meant
exactly the same thing with these two statements - "the administrator
wants a particular domain computer to allow logging on to a
particular domain or only members from a particular domain", which is
what I was trying to clarify.

--
Paul Adare
What use is it that knowledge mounts?
It's knowing something good that counts.
Friedrich von Logau
Click to expand...
 
Thanks, I will give it a try.


Steven Umbach said:
I know of no way to modify the list on the drop down box. What you could do is
configure the "log on locally" user right assignment for each domain or
appropriate Organizational Unit. Remove everyone and users and replace it with
the domain users group for that domain to control what domain they can logon
o. --- Steve
Click to expand...
 
Just having second thought about this- I appreciate your help but would the
options to pick a domain would still appear and if they try to logon to a
domain it would give some form of access denied?

Thanks again
 
Just having second thought about this- I appreciate your help but would the
options to pick a domain would still appear and if they try to logon to a
domain it would give some form of access denied?
Click to expand...

Correct.
 
Back
Top