Deny local logon but allow share connection

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I've got a Windows XP Professional (SP2) domain workstation, and have
sole control of the administrator accounts on it. In performing certain
domain administrative functions I like to share out a hard drive for
others on the domain to write to.

However, I work with a bunch of people who like to screw up computers
that they don't own, and I want to prevent them from logging on. When I
set the following policy:

Computer Configuration\Windows Settings\Security Settings\
Local Policies\User Rights Assignment\Log on locally

to allow only my accounts to log into the computer, it also prevents
access to the network share by everyone else.

Is there a way to allow accounts to connect to a share on the computer,
without actually being able to log into the computer when they sit in
front of it, short of leaving it logged in and locked all the time?

David
Stardate 5189.9

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Try using the "Deny logon locally" instead.

Matt Gibson - GSEC

"David Trimboli" <trimboli@cshl.edu> wrote in message
news:ulsaALYJFHA.2852@TK2MSFTNGP09.phx.gbl...
> I've got a Windows XP Professional (SP2) domain workstation, and have sole
> control of the administrator accounts on it. In performing certain domain
> administrative functions I like to share out a hard drive for others on
> the domain to write to.
>
> However, I work with a bunch of people who like to screw up computers that
> they don't own, and I want to prevent them from logging on. When I set the
> following policy:
>
> Computer Configuration\Windows Settings\Security Settings\
> Local Policies\User Rights Assignment\Log on locally
>
> to allow only my accounts to log into the computer, it also prevents
> access to the network share by everyone else.
>
> Is there a way to allow accounts to connect to a share on the computer,
> without actually being able to log into the computer when they sit in
> front of it, short of leaving it logged in and locked all the time?
>
> David
> Stardate 5189.9

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

But to use "deny logon locally," I'd need to create an explicit list of
users to deny. There is no way to deny "everyone except me," and I don't
want to put in a thousand different account names.

I also can't set Everyone in "deny logon locally," and then set my
accounts in "log on locally," because the deny setting overrules the
allow setting.

David
Stardate 5190.6

Matt Gibson wrote:
> Try using the "Deny logon locally" instead.
>
> Matt Gibson - GSEC
>
> "David Trimboli" <trimboli@cshl.edu> wrote in message
> news:ulsaALYJFHA.2852@TK2MSFTNGP09.phx.gbl...
>
>>I've got a Windows XP Professional (SP2) domain workstation, and have sole
>>control of the administrator accounts on it. In performing certain domain
>>administrative functions I like to share out a hard drive for others on
>>the domain to write to.
>>
>>However, I work with a bunch of people who like to screw up computers that
>>they don't own, and I want to prevent them from logging on. When I set the
>>following policy:
>>
>>Computer Configuration\Windows Settings\Security Settings\
>>Local Policies\User Rights Assignment\Log on locally
>>
>>to allow only my accounts to log into the computer, it also prevents
>>access to the network share by everyone else.
>>
>>Is there a way to allow accounts to connect to a share on the computer,
>>without actually being able to log into the computer when they sit in
>>front of it, short of leaving it logged in and locked all the time?
>>
>>David
>>Stardate 5189.9
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

It depends on what's easier to do, type in all the users that ARE allowed to
login under "login locally", or just put the ones that can't into "deny
local login"

Matt Gibson - GSEC

"David Trimboli" <trimboli@cshl.edu> wrote in message
news:uuDRRjbJFHA.2628@tk2msftngp13.phx.gbl...
> But to use "deny logon locally," I'd need to create an explicit list of
> users to deny. There is no way to deny "everyone except me," and I don't
> want to put in a thousand different account names.
>
> I also can't set Everyone in "deny logon locally," and then set my
> accounts in "log on locally," because the deny setting overrules the allow
> setting.
>
> David
> Stardate 5190.6
>
> Matt Gibson wrote:
>> Try using the "Deny logon locally" instead.
>>
>> Matt Gibson - GSEC
>>
>> "David Trimboli" <trimboli@cshl.edu> wrote in message
>> news:ulsaALYJFHA.2852@TK2MSFTNGP09.phx.gbl...
>>
>>>I've got a Windows XP Professional (SP2) domain workstation, and have
>>>sole control of the administrator accounts on it. In performing certain
>>>domain administrative functions I like to share out a hard drive for
>>>others on the domain to write to.
>>>
>>>However, I work with a bunch of people who like to screw up computers
>>>that they don't own, and I want to prevent them from logging on. When I
>>>set the following policy:
>>>
>>>Computer Configuration\Windows Settings\Security Settings\
>>>Local Policies\User Rights Assignment\Log on locally
>>>
>>>to allow only my accounts to log into the computer, it also prevents
>>>access to the network share by everyone else.
>>>
>>>Is there a way to allow accounts to connect to a share on the computer,
>>>without actually being able to log into the computer when they sit in
>>>front of it, short of leaving it logged in and locked all the time?
>>>
>>>David
>>>Stardate 5189.9
>>
>>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Yes, but as per my original question, how can I permit connections to
shares without allowing logging into the desktop?

David
Stardate 5192.6


Matt Gibson wrote:
> It depends on what's easier to do, type in all the users that ARE allowed to
> login under "login locally", or just put the ones that can't into "deny
> local login"
>
> Matt Gibson - GSEC
>
> "David Trimboli" <trimboli@cshl.edu> wrote in message
> news:uuDRRjbJFHA.2628@tk2msftngp13.phx.gbl...
>
>>But to use "deny logon locally," I'd need to create an explicit list of
>>users to deny. There is no way to deny "everyone except me," and I don't
>>want to put in a thousand different account names.
>>
>>I also can't set Everyone in "deny logon locally," and then set my
>>accounts in "log on locally," because the deny setting overrules the allow
>>setting.
>>
>>David
>>Stardate 5190.6
>>
>>Matt Gibson wrote:
>>
>>>Try using the "Deny logon locally" instead.
>>>
>>>Matt Gibson - GSEC
>>>
>>>"David Trimboli" <trimboli@cshl.edu> wrote in message
>>>news:ulsaALYJFHA.2852@TK2MSFTNGP09.phx.gbl...
>>>
>>>
>>>>I've got a Windows XP Professional (SP2) domain workstation, and have
>>>>sole control of the administrator accounts on it. In performing certain
>>>>domain administrative functions I like to share out a hard drive for
>>>>others on the domain to write to.
>>>>
>>>>However, I work with a bunch of people who like to screw up computers
>>>>that they don't own, and I want to prevent them from logging on. When I
>>>>set the following policy:
>>>>
>>>>Computer Configuration\Windows Settings\Security Settings\
>>>>Local Policies\User Rights Assignment\Log on locally
>>>>
>>>>to allow only my accounts to log into the computer, it also prevents
>>>>access to the network share by everyone else.
>>>>
>>>>Is there a way to allow accounts to connect to a share on the computer,
>>>>without actually being able to log into the computer when they sit in
>>>>front of it, short of leaving it logged in and locked all the time?
>>>>
>>>>David
>>>>Stardate 5189.9
>>>
>>>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Deny login locally, or Login Locally.

You'll have to either do one or the other.

Matt Gibson - GSEC

"David Trimboli" <trimboli@cshl.edu> wrote in message
news:uxc45gkJFHA.2136@TK2MSFTNGP14.phx.gbl...
> Yes, but as per my original question, how can I permit connections to
> shares without allowing logging into the desktop?
>
> David
> Stardate 5192.6
>
>
> Matt Gibson wrote:
>> It depends on what's easier to do, type in all the users that ARE allowed
>> to login under "login locally", or just put the ones that can't into
>> "deny local login"
>>
>> Matt Gibson - GSEC
>>
>> "David Trimboli" <trimboli@cshl.edu> wrote in message
>> news:uuDRRjbJFHA.2628@tk2msftngp13.phx.gbl...
>>
>>>But to use "deny logon locally," I'd need to create an explicit list of
>>>users to deny. There is no way to deny "everyone except me," and I don't
>>>want to put in a thousand different account names.
>>>
>>>I also can't set Everyone in "deny logon locally," and then set my
>>>accounts in "log on locally," because the deny setting overrules the
>>>allow setting.
>>>
>>>David
>>>Stardate 5190.6
>>>
>>>Matt Gibson wrote:
>>>
>>>>Try using the "Deny logon locally" instead.
>>>>
>>>>Matt Gibson - GSEC
>>>>
>>>>"David Trimboli" <trimboli@cshl.edu> wrote in message
>>>>news:ulsaALYJFHA.2852@TK2MSFTNGP09.phx.gbl...
>>>>
>>>>
>>>>>I've got a Windows XP Professional (SP2) domain workstation, and have
>>>>>sole control of the administrator accounts on it. In performing certain
>>>>>domain administrative functions I like to share out a hard drive for
>>>>>others on the domain to write to.
>>>>>
>>>>>However, I work with a bunch of people who like to screw up computers
>>>>>that they don't own, and I want to prevent them from logging on. When I
>>>>>set the following policy:
>>>>>
>>>>>Computer Configuration\Windows Settings\Security Settings\
>>>>>Local Policies\User Rights Assignment\Log on locally
>>>>>
>>>>>to allow only my accounts to log into the computer, it also prevents
>>>>>access to the network share by everyone else.
>>>>>
>>>>>Is there a way to allow accounts to connect to a share on the computer,
>>>>>without actually being able to log into the computer when they sit in
>>>>>front of it, short of leaving it logged in and locked all the time?
>>>>>
>>>>>David
>>>>>Stardate 5189.9
>>>>
>>>>
>>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Just a thought...

Why not make a new group, and add everyone to that...then add that group to
the deny or allow, rather than all the users.

Matt Gibson - GSEC

"Matt Gibson" <mattg@blueedgetech.ca> wrote in message
news:%23iJe3jmJFHA.656@TK2MSFTNGP14.phx.gbl...
> Deny login locally, or Login Locally.
>
> You'll have to either do one or the other.
>
> Matt Gibson - GSEC
>
> "David Trimboli" <trimboli@cshl.edu> wrote in message
> news:uxc45gkJFHA.2136@TK2MSFTNGP14.phx.gbl...
>> Yes, but as per my original question, how can I permit connections to
>> shares without allowing logging into the desktop?
>>
>> David
>> Stardate 5192.6
>>
>>
>> Matt Gibson wrote:
>>> It depends on what's easier to do, type in all the users that ARE
>>> allowed to login under "login locally", or just put the ones that can't
>>> into "deny local login"
>>>
>>> Matt Gibson - GSEC
>>>
>>> "David Trimboli" <trimboli@cshl.edu> wrote in message
>>> news:uuDRRjbJFHA.2628@tk2msftngp13.phx.gbl...
>>>
>>>>But to use "deny logon locally," I'd need to create an explicit list of
>>>>users to deny. There is no way to deny "everyone except me," and I don't
>>>>want to put in a thousand different account names.
>>>>
>>>>I also can't set Everyone in "deny logon locally," and then set my
>>>>accounts in "log on locally," because the deny setting overrules the
>>>>allow setting.
>>>>
>>>>David
>>>>Stardate 5190.6
>>>>
>>>>Matt Gibson wrote:
>>>>
>>>>>Try using the "Deny logon locally" instead.
>>>>>
>>>>>Matt Gibson - GSEC
>>>>>
>>>>>"David Trimboli" <trimboli@cshl.edu> wrote in message
>>>>>news:ulsaALYJFHA.2852@TK2MSFTNGP09.phx.gbl...
>>>>>
>>>>>
>>>>>>I've got a Windows XP Professional (SP2) domain workstation, and have
>>>>>>sole control of the administrator accounts on it. In performing
>>>>>>certain domain administrative functions I like to share out a hard
>>>>>>drive for others on the domain to write to.
>>>>>>
>>>>>>However, I work with a bunch of people who like to screw up computers
>>>>>>that they don't own, and I want to prevent them from logging on. When
>>>>>>I set the following policy:
>>>>>>
>>>>>>Computer Configuration\Windows Settings\Security Settings\
>>>>>>Local Policies\User Rights Assignment\Log on locally
>>>>>>
>>>>>>to allow only my accounts to log into the computer, it also prevents
>>>>>>access to the network share by everyone else.
>>>>>>
>>>>>>Is there a way to allow accounts to connect to a share on the
>>>>>>computer, without actually being able to log into the computer when
>>>>>>they sit in front of it, short of leaving it logged in and locked all
>>>>>>the time?
>>>>>>
>>>>>>David
>>>>>>Stardate 5189.9
>>>>>
>>>>>
>>>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In other words, the answer is, no, you have to allow people to log into
the desktop if you want them to be able to log into a share?

David
Stardate 5193.2


Matt Gibson wrote:
> Deny login locally, or Login Locally.
>
> You'll have to either do one or the other.
>
> Matt Gibson - GSEC
>
> "David Trimboli" <trimboli@cshl.edu> wrote in message
> news:uxc45gkJFHA.2136@TK2MSFTNGP14.phx.gbl...
>
>>Yes, but as per my original question, how can I permit connections to
>>shares without allowing logging into the desktop?
>>
>>David
>>Stardate 5192.6
>>
>>
>>Matt Gibson wrote:
>>
>>>It depends on what's easier to do, type in all the users that ARE allowed
>>>to login under "login locally", or just put the ones that can't into
>>>"deny local login"
>>>
>>>Matt Gibson - GSEC
>>>
>>>"David Trimboli" <trimboli@cshl.edu> wrote in message
>>>news:uuDRRjbJFHA.2628@tk2msftngp13.phx.gbl...
>>>
>>>
>>>>But to use "deny logon locally," I'd need to create an explicit list of
>>>>users to deny. There is no way to deny "everyone except me," and I don't
>>>>want to put in a thousand different account names.
>>>>
>>>>I also can't set Everyone in "deny logon locally," and then set my
>>>>accounts in "log on locally," because the deny setting overrules the
>>>>allow setting.
>>>>
>>>>David
>>>>Stardate 5190.6
>>>>
>>>>Matt Gibson wrote:
>>>>
>>>>
>>>>>Try using the "Deny logon locally" instead.
>>>>>
>>>>>Matt Gibson - GSEC
>>>>>
>>>>>"David Trimboli" <trimboli@cshl.edu> wrote in message
>>>>>news:ulsaALYJFHA.2852@TK2MSFTNGP09.phx.gbl...
>>>>>
>>>>>
>>>>>
>>>>>>I've got a Windows XP Professional (SP2) domain workstation, and have
>>>>>>sole control of the administrator accounts on it. In performing certain
>>>>>>domain administrative functions I like to share out a hard drive for
>>>>>>others on the domain to write to.
>>>>>>
>>>>>>However, I work with a bunch of people who like to screw up computers
>>>>>>that they don't own, and I want to prevent them from logging on. When I
>>>>>>set the following policy:
>>>>>>
>>>>>>Computer Configuration\Windows Settings\Security Settings\
>>>>>>Local Policies\User Rights Assignment\Log on locally
>>>>>>
>>>>>>to allow only my accounts to log into the computer, it also prevents
>>>>>>access to the network share by everyone else.
>>>>>>
>>>>>>Is there a way to allow accounts to connect to a share on the computer,
>>>>>>without actually being able to log into the computer when they sit in
>>>>>>front of it, short of leaving it logged in and locked all the time?
>>>>>>
>>>>>>David
>>>>>>Stardate 5189.9
>>>>>
>>>>>
>
>