J
Jim Watts
This might be a very simple question, but I think I need some advice.
We have 5000+ XP workstations in our AD. On SOME of them, we want to have
people log on with a shared account that has NO password (I know, not secure
etc, but Group Policy does configure this account to run a different shell
etc). On the rest of the systems, this account should NOT be able to log on.
I though I could solve this simply by taking the account in question out of
the Domain Users group (and specifically allow it on the systems we do want
it to work on obviously), under the mistaken belief that only Domain Users
could log onto AD member systems. However this isn't the case, as by default
(it appears) 'Authenticated Users' is placed into the local Users group,
and the Users group has rights to log on which mean anyone who can
authenticated can log on.
So the question is, how can I allow the account to log on to some
workstations but not others?
I thought I could use a GPO to set 'Deny Logon Locally' for this account,
but sadly that overwrites any other entries in the 'Deny Logon Locally'
setting (like ASPNET, Support_xxx etc) so that's no good. I also thought
that I could change the 'Log on Locally' so that it is 'Domain Users' rather
than 'Users', but then local service accounts won't work etc.
Any suggestions gratefully received.
We have 5000+ XP workstations in our AD. On SOME of them, we want to have
people log on with a shared account that has NO password (I know, not secure
etc, but Group Policy does configure this account to run a different shell
etc). On the rest of the systems, this account should NOT be able to log on.
I though I could solve this simply by taking the account in question out of
the Domain Users group (and specifically allow it on the systems we do want
it to work on obviously), under the mistaken belief that only Domain Users
could log onto AD member systems. However this isn't the case, as by default
(it appears) 'Authenticated Users' is placed into the local Users group,
and the Users group has rights to log on which mean anyone who can
authenticated can log on.
So the question is, how can I allow the account to log on to some
workstations but not others?
I thought I could use a GPO to set 'Deny Logon Locally' for this account,
but sadly that overwrites any other entries in the 'Deny Logon Locally'
setting (like ASPNET, Support_xxx etc) so that's no good. I also thought
that I could change the 'Log on Locally' so that it is 'Domain Users' rather
than 'Users', but then local service accounts won't work etc.
Any suggestions gratefully received.