How to prevent users from logging on the local machine?

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I set up an active directory environment in my network. I prefer network
users to logon their machines with domain credentials rather than local
machines' credentials. What can I do to achieve this goal.
6 answers Last reply
More about prevent users logging local machine
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    The simple way to do this is to only have one active local account, the
    local administrator. If none of your users know the password to this account
    they will be unable to log on locally.

    "John Park" <jnpk@vip.163.com> wrote in message
    news:OVOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
    >I set up an active directory environment in my network. I prefer network
    >users to logon their machines with domain credentials rather than local
    >machines' credentials. What can I do to achieve this goal.
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "John Park" <jnpk@vip.163.com> wrote in message
    news:OVOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
    > I set up an active directory environment in my network. I prefer network
    > users to logon their machines with domain credentials rather than local
    > machines' credentials. What can I do to achieve this goal.

    As Simon said, give them a Domain account only.

    Then they have no choice.

    Also, do not make their Domain account an Admin
    or even a Power User so they cannot create other
    accounts on their machien (or just educate them if
    you trust them to be admins.)

    --
    Herb Martin


    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I am not sure you have explained or maybe I am reading into it.
    A user can log onto a machine with cached credentials, this happens when
    there is no domain controller, like people who use laptops. The same
    permissions will apply as they have when they logon when the domain
    controller can be contacted.
    Other than that keep the accounts on the local machine password protected
    and don't let them have it.
    If you are talking about keeping users off the system even when the dc is
    not able to be contacted, I first ask why? Then would say to look up the reg
    keys that can prevent cached logons.

    --
    BRIAN EDWARDO
    "John Park" <jnpk@vip.163.com> wrote in message
    news:OVOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
    >I set up an active directory environment in my network. I prefer network
    >users to logon their machines with domain credentials rather than local
    >machines' credentials. What can I do to achieve this goal.
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "BCE" <dirwolf@speakeasy.net> wrote in message
    news:ODTgLPQ$EHA.3120@TK2MSFTNGP12.phx.gbl...
    > I am not sure you have explained or maybe I am reading into it.
    > A user can log onto a machine with cached credentials, this happens when
    > there is no domain controller, like people who use laptops. The same
    > permissions will apply as they have when they logon when the domain
    > controller can be contacted.

    Same permissions OR LESS. Access to domain
    resources may not be available.

    But cached credentials can also be disabled if that
    is part of the question.

    > Other than that keep the accounts on the local machine password protected
    > and don't let them have it.
    > If you are talking about keeping users off the system even when the dc is
    > not able to be contacted, I first ask why? Then would say to look up the
    reg
    > keys that can prevent cached logons.
    >


    --
    Herb Martin


    > --
    > BRIAN EDWARDO
    > "John Park" <jnpk@vip.163.com> wrote in message
    > news:OVOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
    > >I set up an active directory environment in my network. I prefer network
    > >users to logon their machines with domain credentials rather than local
    > >machines' credentials. What can I do to achieve this goal.
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Mon, 17 Jan 2005 21:55:36 +0800, "John Park" <jnpk@vip.163.com>
    wrote:

    >I set up an active directory environment in my network. I prefer network
    >users to logon their machines with domain credentials rather than local
    >machines' credentials. What can I do to achieve this goal.
    >

    If the users don't have accounts on the local machine, then they
    won't be able to log in locally anyway. If, by some chance, users
    happen to have administrators rights to the computer, you need to get
    rid of that on the local computer because you can give them rights on
    the domain without locally admin rights.
    Also, you can edit or create a policy for the users. Then, go to
    the Computer Configuration section, then the Security section, then
    Local Policies, and then User Rights Assignment. There, you will see
    a policy for 'Deny Logon Locally'. You can use that to deny groups or
    users that you don't want to log on locally. I hope this helps.
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    John,

    Just a little late....

    Anyway, there are several suggestions to your question that will do the
    trick. This is what I would do:

    1) make sure that all of your computer account objects are in an
    Organizational Unit ( OU ) and not in the default COMPUTERS Container

    2) create a GPO that makes use of the Restricted Groups GPO. Essentially,
    what this does is makes sure that there will be only one group - or however
    many that you, as the Sys Admin, specify - that will be a member of the
    computer's local Administrators group and that no one else will be able to
    randomly add his or her local or domain user account to that group......just
    be careful when you do this as most people new to this will forget to
    include the Domain Admins security group....

    2a) by default, the has three local groups of interest: the Users group, the
    Power Users group and the Administrators group. By default, the Domain
    Users domain security group is a member of the computers local Users
    group....this is a good thing. So, if you are running WIN2000 Pro and / or
    WinXP Pro then the domain security group Domain Users will be a member of
    the local Users group on each and every WIN2000 Pro and WinXP Pro system.
    This should be all that you need. Know that the user needs to be a member
    of the Power Users local group - at least - to add printers......

    3) Create a GPO and link it to the OU that contains the Computer Account
    Objects that accomplishes the 'deny local logon'.

    This would pretty much lock things down for you. If you really want to
    lock down the environment ( remove "Start | Run", not allow access to the
    Display Properties, etc. ) then you might want to look at the 'How to lock
    down a Terminal Server' MSKB Article. While it is for a Terminal Server
    environment, you use the exact same procedure for workstations ( afterall,
    isn't a Terminal Server, in essence, nothing more than a big fat
    workstation? )....you would just have all of the computer account objects in
    that OU ( which you already do according to my 'plan' ) instead of the one
    ( the server on which you are running TS ). Also, you are using Loopback -
    probably in replace mode.

    HTH,


    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "John Park" <jnpk@vip.163.com> wrote in message
    news:OVOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
    >I set up an active directory environment in my network. I prefer network
    >users to logon their machines with domain credentials rather than local
    >machines' credentials. What can I do to achieve this goal.
    >
Ask a new question

Read More

Microsoft Active Directory Windows