restricting domain workstation logons

  • Thread starter Thread starter wyocowboy
  • Start date Start date
W

wyocowboy

A customer wants to limit who can logon to certain machines to a handful of
authorized users and prevent all other users in the company from logging onto
these 3 workstations. I know that I can go into every user's profile and
limit which machine(s) a given user can logon to, but I would rather not have
to edit all those profiles, unless there is no other way.

Unfortunately, there does not seem to be any provision for doing this
through Client Computers properties. Any ideas?
 
wyocowboy said:
A customer wants to limit who can logon to certain machines to a handful of
authorized users and prevent all other users in the company from logging
onto
these 3 workstations. I know that I can go into every user's profile and
limit which machine(s) a given user can logon to, but I would rather not
have
to edit all those profiles, unless there is no other way.

Unfortunately, there does not seem to be any provision for doing this
through Client Computers properties. Any ideas?
Click to expand...

A brutal but highly effective method would be to modify your
domain logon script like so:

@echo off
find "xx%ComputerName%yy" \\YourServer\SomeShare\PCList.txt > nul
if %ErrorLevel%==0 (
find "xx%UserName%yy" \\YourServer\SomeShare\UserList.txt > nul
if %ErrorLevel% GTR 0 \\YourServer\Tools\shutdown.exe /r
)
{Remaining commands go here}

The first command checks if this is a restricted PC.
The second command checks if this is an authorised user.
The third command conditionally reboots the PC.

You need to do four things to make it happen:
- Modify the logon script.
- Compile a list of restricted PCs. Surround each name with "xx" and "yy".
- Compile a list of authorised users. Surround each name with "xx" and "yy".
- Download one of the many copies of shutdown.exe and leave it on your
server.
 
wyocowboy said:
A customer wants to limit who can logon to certain machines to a handful of
authorized users and prevent all other users in the company from logging
onto
these 3 workstations. I know that I can go into every user's profile and
limit which machine(s) a given user can logon to, but I would rather not
have
to edit all those profiles, unless there is no other way.

Unfortunately, there does not seem to be any provision for doing this
through Client Computers properties. Any ideas?
Click to expand...

Are you in a domain?

If yes then you could;

1) Create a domain group whose members are allowed to logon to these 3
workstations
2) On each of the 3 workstations open the Local Security Policy MMC snapin,
open the "Log on locally" entry under "Local Policies", "User Rights
Assignment", add the group created earlier and then deselect the "Users"
group, click OK to save changes and reboot workstations.

This will limit logons to these workstations to Administrators, Power Users,
Backup Operators and members of the group created earlier. You could
further restrict the groups allowed access but wouldn't recommend removing
Administrators.
 
Tim Jackson said:
Are you in a domain?

If yes then you could;

1) Create a domain group whose members are allowed to logon to these 3
workstations
2) On each of the 3 workstations open the Local Security Policy MMC snapin,
open the "Log on locally" entry under "Local Policies", "User Rights
Assignment", add the group created earlier and then deselect the "Users"
group, click OK to save changes and reboot workstations.

This will limit logons to these workstations to Administrators, Power Users,
Backup Operators and members of the group created earlier. You could
further restrict the groups allowed access but wouldn't recommend removing
Administrators.
Click to expand...

Yes, it is a domain, but what you suggested did not work. None of the domain
users have local accounts on these machines to start with, and when logging
onto a domain, the local policy settings are overridden by the domain policy
settings anyways. However, I try it anyways..

When I went to the "log on locally" portion of the local security snap-in, I
couldn't get through the process as described. At the time, I was logged on
as a domain admin. When I first tried to add the group, it offered me the
choice of the local machine or the 'domain.local' so I selected the domain
from the pull down. It then came back and said it could not find the
server/domain, even though I could browse the server at the time. I closed
out of it and then went back in and this time the only choice offered was the
local machine, and of course the group does not exist on the local machine.

Since the group did not exist on the local machine, it wouldn't let me add
it, so I created it locally and after creating my user locally (it insisted
on adding a user) I added it to the logon permit list and unchecked all
except administrator. At the end of all that, it still lets any domain user
logon to the domain from that machine.
 
wyocowboy2 said:
Yes, it is a domain, but what you suggested did not work. None of the
domain
users have local accounts on these machines to start with, and when
logging
onto a domain, the local policy settings are overridden by the domain
policy
settings anyways. However, I try it anyways..

When I went to the "log on locally" portion of the local security snap-in,
I
couldn't get through the process as described. At the time, I was logged
on
as a domain admin. When I first tried to add the group, it offered me the
choice of the local machine or the 'domain.local' so I selected the domain
from the pull down. It then came back and said it could not find the
server/domain, even though I could browse the server at the time. I closed
out of it and then went back in and this time the only choice offered was
the
local machine, and of course the group does not exist on the local
machine.

Since the group did not exist on the local machine, it wouldn't let me add
it, so I created it locally and after creating my user locally (it
insisted
on adding a user) I added it to the logon permit list and unchecked all
except administrator. At the end of all that, it still lets any domain
user
logon to the domain from that machine.
Click to expand...

Sounds like you are having problems talking to the domain if it says it
cannot find the server/domain. I would suggest checking that the
workstation is still a member of the domain and that your domain admin
really is an administrator account and is logging on to the domain okay.

This method does work, I have used it myself, recently.
 
Back
Top