How to prevent users from logging on the local machine?
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.active_directory (More info?)
I set up an active directory environment in my network. I prefer network
users to logon their machines with domain credentials rather than local
machines' credentials. What can I do to achieve this goal.
I set up an active directory environment in my network. I prefer network
users to logon their machines with domain credentials rather than local
machines' credentials. What can I do to achieve this goal.
More about : prevent users logging local machine
Archived from groups: microsoft.public.win2000.active_directory (More info?)
The simple way to do this is to only have one active local account, the
local administrator. If none of your users know the password to this account
they will be unable to log on locally.
"John Park" <jnpk@vip.163.com> wrote in message
news![:o]( ":o")
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
>I set up an active directory environment in my network. I prefer network
>users to logon their machines with domain credentials rather than local
>machines' credentials. What can I do to achieve this goal.
>
The simple way to do this is to only have one active local account, the
local administrator. If none of your users know the password to this account
they will be unable to log on locally.
"John Park" <jnpk@vip.163.com> wrote in message
news
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...>I set up an active directory environment in my network. I prefer network
>users to logon their machines with domain credentials rather than local
>machines' credentials. What can I do to achieve this goal.
>
Archived from groups: microsoft.public.win2000.active_directory (More info?)
"John Park" <jnpk@vip.163.com> wrote in message
news![:o]( ":o")
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
> I set up an active directory environment in my network. I prefer network
> users to logon their machines with domain credentials rather than local
> machines' credentials. What can I do to achieve this goal.
As Simon said, give them a Domain account only.
Then they have no choice.
Also, do not make their Domain account an Admin
or even a Power User so they cannot create other
accounts on their machien (or just educate them if
you trust them to be admins.)
--
Herb Martin
>
>
"John Park" <jnpk@vip.163.com> wrote in message
news
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...> I set up an active directory environment in my network. I prefer network
> users to logon their machines with domain credentials rather than local
> machines' credentials. What can I do to achieve this goal.
As Simon said, give them a Domain account only.
Then they have no choice.
Also, do not make their Domain account an Admin
or even a Power User so they cannot create other
accounts on their machien (or just educate them if
you trust them to be admins.)
--
Herb Martin
>
>
Archived from groups: microsoft.public.win2000.active_directory (More info?)
I am not sure you have explained or maybe I am reading into it.
A user can log onto a machine with cached credentials, this happens when
there is no domain controller, like people who use laptops. The same
permissions will apply as they have when they logon when the domain
controller can be contacted.
Other than that keep the accounts on the local machine password protected
and don't let them have it.
If you are talking about keeping users off the system even when the dc is
not able to be contacted, I first ask why? Then would say to look up the reg
keys that can prevent cached logons.
--
BRIAN EDWARDO
"John Park" <jnpk@vip.163.com> wrote in message
news![:o]( ":o")
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
>I set up an active directory environment in my network. I prefer network
>users to logon their machines with domain credentials rather than local
>machines' credentials. What can I do to achieve this goal.
>
I am not sure you have explained or maybe I am reading into it.
A user can log onto a machine with cached credentials, this happens when
there is no domain controller, like people who use laptops. The same
permissions will apply as they have when they logon when the domain
controller can be contacted.
Other than that keep the accounts on the local machine password protected
and don't let them have it.
If you are talking about keeping users off the system even when the dc is
not able to be contacted, I first ask why? Then would say to look up the reg
keys that can prevent cached logons.
--
BRIAN EDWARDO
"John Park" <jnpk@vip.163.com> wrote in message
news
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...>I set up an active directory environment in my network. I prefer network
>users to logon their machines with domain credentials rather than local
>machines' credentials. What can I do to achieve this goal.
>
Related ressources
- How to prevent users from accessing windows xp local account - Forum
- How to prevent ownership change by users with admin rights? - Forum
- prevent users from saving to local profile - Forum
- Unable to log into Win2K, local users prohibited, deleted .. - Forum
- Cant logon to local machine (this computer) as administrator - Forum
Archived from groups: microsoft.public.win2000.active_directory (More info?)
"BCE" <dirwolf@speakeasy.net> wrote in message
news![:o]( ":o")
DTgLPQ$EHA.3120@TK2MSFTNGP12.phx.gbl...
> I am not sure you have explained or maybe I am reading into it.
> A user can log onto a machine with cached credentials, this happens when
> there is no domain controller, like people who use laptops. The same
> permissions will apply as they have when they logon when the domain
> controller can be contacted.
Same permissions OR LESS. Access to domain
resources may not be available.
But cached credentials can also be disabled if that
is part of the question.
> Other than that keep the accounts on the local machine password protected
> and don't let them have it.
> If you are talking about keeping users off the system even when the dc is
> not able to be contacted, I first ask why? Then would say to look up the
reg
> keys that can prevent cached logons.
>
--
Herb Martin
> --
> BRIAN EDWARDO
> "John Park" <jnpk@vip.163.com> wrote in message
> news![:o]( ":o")
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
> >I set up an active directory environment in my network. I prefer network
> >users to logon their machines with domain credentials rather than local
> >machines' credentials. What can I do to achieve this goal.
> >
>
>
"BCE" <dirwolf@speakeasy.net> wrote in message
news
DTgLPQ$EHA.3120@TK2MSFTNGP12.phx.gbl...> I am not sure you have explained or maybe I am reading into it.
> A user can log onto a machine with cached credentials, this happens when
> there is no domain controller, like people who use laptops. The same
> permissions will apply as they have when they logon when the domain
> controller can be contacted.
Same permissions OR LESS. Access to domain
resources may not be available.
But cached credentials can also be disabled if that
is part of the question.
> Other than that keep the accounts on the local machine password protected
> and don't let them have it.
> If you are talking about keeping users off the system even when the dc is
> not able to be contacted, I first ask why? Then would say to look up the
reg
> keys that can prevent cached logons.
>
--
Herb Martin
> --
> BRIAN EDWARDO
> "John Park" <jnpk@vip.163.com> wrote in message
> news
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...> >I set up an active directory environment in my network. I prefer network
> >users to logon their machines with domain credentials rather than local
> >machines' credentials. What can I do to achieve this goal.
> >
>
>
Archived from groups: microsoft.public.win2000.active_directory (More info?)
On Mon, 17 Jan 2005 21:55:36 +0800, "John Park" <jnpk@vip.163.com>
wrote:
>I set up an active directory environment in my network. I prefer network
>users to logon their machines with domain credentials rather than local
>machines' credentials. What can I do to achieve this goal.
>
If the users don't have accounts on the local machine, then they
won't be able to log in locally anyway. If, by some chance, users
happen to have administrators rights to the computer, you need to get
rid of that on the local computer because you can give them rights on
the domain without locally admin rights.
Also, you can edit or create a policy for the users. Then, go to
the Computer Configuration section, then the Security section, then
Local Policies, and then User Rights Assignment. There, you will see
a policy for 'Deny Logon Locally'. You can use that to deny groups or
users that you don't want to log on locally. I hope this helps.
On Mon, 17 Jan 2005 21:55:36 +0800, "John Park" <jnpk@vip.163.com>
wrote:
>I set up an active directory environment in my network. I prefer network
>users to logon their machines with domain credentials rather than local
>machines' credentials. What can I do to achieve this goal.
>
If the users don't have accounts on the local machine, then they
won't be able to log in locally anyway. If, by some chance, users
happen to have administrators rights to the computer, you need to get
rid of that on the local computer because you can give them rights on
the domain without locally admin rights.
Also, you can edit or create a policy for the users. Then, go to
the Computer Configuration section, then the Security section, then
Local Policies, and then User Rights Assignment. There, you will see
a policy for 'Deny Logon Locally'. You can use that to deny groups or
users that you don't want to log on locally. I hope this helps.
Archived from groups: microsoft.public.win2000.active_directory (More info?)
John,
Just a little late....
Anyway, there are several suggestions to your question that will do the
trick. This is what I would do:
1) make sure that all of your computer account objects are in an
Organizational Unit ( OU ) and not in the default COMPUTERS Container
2) create a GPO that makes use of the Restricted Groups GPO. Essentially,
what this does is makes sure that there will be only one group - or however
many that you, as the Sys Admin, specify - that will be a member of the
computer's local Administrators group and that no one else will be able to
randomly add his or her local or domain user account to that group......just
be careful when you do this as most people new to this will forget to
include the Domain Admins security group....
2a) by default, the has three local groups of interest: the Users group, the
Power Users group and the Administrators group. By default, the Domain
Users domain security group is a member of the computers local Users
group....this is a good thing. So, if you are running WIN2000 Pro and / or
WinXP Pro then the domain security group Domain Users will be a member of
the local Users group on each and every WIN2000 Pro and WinXP Pro system.
This should be all that you need. Know that the user needs to be a member
of the Power Users local group - at least - to add printers......
3) Create a GPO and link it to the OU that contains the Computer Account
Objects that accomplishes the 'deny local logon'.
This would pretty much lock things down for you. If you really want to
lock down the environment ( remove "Start | Run", not allow access to the
Display Properties, etc. ) then you might want to look at the 'How to lock
down a Terminal Server' MSKB Article. While it is for a Terminal Server
environment, you use the exact same procedure for workstations ( afterall,
isn't a Terminal Server, in essence, nothing more than a big fat
workstation? )....you would just have all of the computer account objects in
that OU ( which you already do according to my 'plan' ) instead of the one
( the server on which you are running TS ). Also, you are using Loopback -
probably in replace mode.
HTH,
--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"John Park" <jnpk@vip.163.com> wrote in message
news![:o]( ":o")
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...
>I set up an active directory environment in my network. I prefer network
>users to logon their machines with domain credentials rather than local
>machines' credentials. What can I do to achieve this goal.
>
John,
Just a little late....
Anyway, there are several suggestions to your question that will do the
trick. This is what I would do:
1) make sure that all of your computer account objects are in an
Organizational Unit ( OU ) and not in the default COMPUTERS Container
2) create a GPO that makes use of the Restricted Groups GPO. Essentially,
what this does is makes sure that there will be only one group - or however
many that you, as the Sys Admin, specify - that will be a member of the
computer's local Administrators group and that no one else will be able to
randomly add his or her local or domain user account to that group......just
be careful when you do this as most people new to this will forget to
include the Domain Admins security group....
2a) by default, the has three local groups of interest: the Users group, the
Power Users group and the Administrators group. By default, the Domain
Users domain security group is a member of the computers local Users
group....this is a good thing. So, if you are running WIN2000 Pro and / or
WinXP Pro then the domain security group Domain Users will be a member of
the local Users group on each and every WIN2000 Pro and WinXP Pro system.
This should be all that you need. Know that the user needs to be a member
of the Power Users local group - at least - to add printers......
3) Create a GPO and link it to the OU that contains the Computer Account
Objects that accomplishes the 'deny local logon'.
This would pretty much lock things down for you. If you really want to
lock down the environment ( remove "Start | Run", not allow access to the
Display Properties, etc. ) then you might want to look at the 'How to lock
down a Terminal Server' MSKB Article. While it is for a Terminal Server
environment, you use the exact same procedure for workstations ( afterall,
isn't a Terminal Server, in essence, nothing more than a big fat
workstation? )....you would just have all of the computer account objects in
that OU ( which you already do according to my 'plan' ) instead of the one
( the server on which you are running TS ). Also, you are using Loopback -
probably in replace mode.
HTH,
--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"John Park" <jnpk@vip.163.com> wrote in message
news
VOa6wJ$EHA.3372@TK2MSFTNGP10.phx.gbl...>I set up an active directory environment in my network. I prefer network
>users to logon their machines with domain credentials rather than local
>machines' credentials. What can I do to achieve this goal.
>
Related ressources:
- ForumHow can I prevent from a user to remove a machine from the..
- ForumHow can I prevent a TS user from TS or RDP to another serv..
- Forumprevent local administrator from logging in through Termin..
- ForumBlock users from logging onto certain machines
- ForumHow to reset local policy settings without logging on the machine
- ForumPrevent user to install software
- ForumPrevent login
- ForumHow to prevent malware from running on your PC
- Forumlock down the systems as much as possible to prevent users in the labs from cha
- ForumHow to prevent other user from opening my local disk
- Forumhow to prevent data/informations on production environment?
- ForumHow Secure is ". Local ?"
- ForumParallel and com ports not appearing in device manager
- Forum2nd DC not authenticating users?
- ForumHelp Please! - Cannot get rid of redundant DC from AD
- More resources
!
