Stopping some accounts from logging on

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

This might be a very simple question, but I think I need some advice.

We have 5000+ XP workstations in our AD. On SOME of them, we want to have
people log on with a shared account that has NO password (I know, not secure
etc, but Group Policy does configure this account to run a different shell
etc). On the rest of the systems, this account should NOT be able to log on.

I though I could solve this simply by taking the account in question out of
the Domain Users group (and specifically allow it on the systems we do want
it to work on obviously), under the mistaken belief that only Domain Users
could log onto AD member systems. However this isn't the case, as by default
(it appears) 'Authenticated Users' is placed into the local Users group,
and the Users group has rights to log on which mean anyone who can
authenticated can log on.

So the question is, how can I allow the account to log on to some
workstations but not others?

I thought I could use a GPO to set 'Deny Logon Locally' for this account,
but sadly that overwrites any other entries in the 'Deny Logon Locally'
setting (like ASPNET, Support_xxx etc) so that's no good. I also thought
that I could change the 'Log on Locally' so that it is 'Domain Users' rather
than 'Users', but then local service accounts won't work etc.

Any suggestions gratefully received.
--
Jim Watts,
Information Systems Services
University of Southampton

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

This article has the tip you need:

http://www.windowsitpro.com/Articl [...] .html?Ad=1

The LOGOFF utility that it references (NT4) is already in Windows XP.

Create an empty text file in the Netlogon directory of the server with the filename

<username>.<computername> (example: bobd.workstation3) And then create/modify the domain logon script, using the example cited in the above article. It should work the same way in XP as it did in NT4. Create one file for each computer/user combination that you want allowed to logon.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/x [...] onsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Jim Watts" <j.watts@news.postalias> wrote in message news:%23agdhpDmFHA.4000@TK2MSFTNGP12.phx.gbl...
> This might be a very simple question, but I think I need some advice.
>
> We have 5000+ XP workstations in our AD. On SOME of them, we want to have
> people log on with a shared account that has NO password (I know, not secure
> etc, but Group Policy does configure this account to run a different shell
> etc). On the rest of the systems, this account should NOT be able to log on.
>
> I though I could solve this simply by taking the account in question out of
> the Domain Users group (and specifically allow it on the systems we do want
> it to work on obviously), under the mistaken belief that only Domain Users
> could log onto AD member systems. However this isn't the case, as by default
> (it appears) 'Authenticated Users' is placed into the local Users group,
> and the Users group has rights to log on which mean anyone who can
> authenticated can log on.
>
> So the question is, how can I allow the account to log on to some
> workstations but not others?
>
> I thought I could use a GPO to set 'Deny Logon Locally' for this account,
> but sadly that overwrites any other entries in the 'Deny Logon Locally'
> setting (like ASPNET, Support_xxx etc) so that's no good. I also thought
> that I could change the 'Log on Locally' so that it is 'Domain Users' rather
> than 'Users', but then local service accounts won't work etc.
>
> Any suggestions gratefully received.
> --
> Jim Watts,
> Information Systems Services
> University of Southampton
>
>