Is this a GPO setting or not?

[Charles]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I'm trying to duplicate a setting on a few of the
machines I manage that will prevent users from logging
into the machines unless I go through the Users and
Passwords Control Panel item or Local Groups and User MMC
snap-in and give them permission to logon to the
machine. They initially have to be input into the
machine this way with Admin access to the machine and
then bumped down to a lower permissions level. If their
profiles aren't manually added in this manner they get a
message like this. "Cannot copy C:\Documents and
Settings\Default User\Favorites\<insert url here> to
C:\DOcuments and Settings\<insert User Name
here>\Favorite\... etc" with a countdown time at the
bottom. At the time out they get another message that
basically tells them to contact the Network Admin because
their profile could not be created on the machine. I
don't have much authority over the User Domain accounts
so I can't add them to specific OU except at the Local
machine level but I have complete control over the
machines themselves. Is this something that can be done
via the GPO or Local Security Settings? Is there another
MMC snap-in that I can use to duplicate this setting?
This is the only way I've found so far to prevent users
from logging into certain machines. The previous Network
Admin can't remember what he did to activate this so I'm
pretty much on my own. Thanks in advance for any and all
help.

Charles

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You can control who logs onto a computer with the user right for logon locally
that is found in the Local Security Policy [secpol.msc] under security
settings/local policies/user rights. This can also be configured at the domain
or OU level via a GPO at those levels. I am not quite sure about your
requirements but for instance you can configure a computer to only allow domain
users and administrators to logon to it which would not allow any "local" user
to logon to that is not in the local administrators group. --- Steve


"Charles" <mentaldrowremovethis@gimail.af.mil> wrote in message
news:277101c4866f$a0efd2e0$a301280a@phx.gbl...
> I'm trying to duplicate a setting on a few of the
> machines I manage that will prevent users from logging
> into the machines unless I go through the Users and
> Passwords Control Panel item or Local Groups and User MMC
> snap-in and give them permission to logon to the
> machine. They initially have to be input into the
> machine this way with Admin access to the machine and
> then bumped down to a lower permissions level. If their
> profiles aren't manually added in this manner they get a
> message like this. "Cannot copy C:\Documents and
> Settings\Default User\Favorites\<insert url here> to
> C:\DOcuments and Settings\<insert User Name
> here>\Favorite\... etc" with a countdown time at the
> bottom. At the time out they get another message that
> basically tells them to contact the Network Admin because
> their profile could not be created on the machine. I
> don't have much authority over the User Domain accounts
> so I can't add them to specific OU except at the Local
> machine level but I have complete control over the
> machines themselves. Is this something that can be done
> via the GPO or Local Security Settings? Is there another
> MMC snap-in that I can use to duplicate this setting?
> This is the only way I've found so far to prevent users
> from logging into certain machines. The previous Network
> Admin can't remember what he did to activate this so I'm
> pretty much on my own. Thanks in advance for any and all
> help.
>
> Charles

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Sounds to me that the permissions on the Documents and Setting folder have
been manipulated.

If Users are removed from the permissions on the Documents and Settings
folder, a user that does not already have a profile, can't create one and
you get the message box saying the user profile can not be loaded with a
count down timer.

But, Administrators still have access, so when the user's account is in the
Administrators group, that user can logon and create their profile in
Documents and Settings. The user's account specifically gets Full Control
over its profile folder, so, after the user's account is removed from the
Administrators group, they can still logon and use their profile folder.

--
Bruce Sanderson MVP

It is perfectly useless to know the right answer to the wrong question.


"Charles" <mentaldrowremovethis@gimail.af.mil> wrote in message
news:277101c4866f$a0efd2e0$a301280a@phx.gbl...
> I'm trying to duplicate a setting on a few of the
> machines I manage that will prevent users from logging
> into the machines unless I go through the Users and
> Passwords Control Panel item or Local Groups and User MMC
> snap-in and give them permission to logon to the
> machine. They initially have to be input into the
> machine this way with Admin access to the machine and
> then bumped down to a lower permissions level. If their
> profiles aren't manually added in this manner they get a
> message like this. "Cannot copy C:\Documents and
> Settings\Default User\Favorites\<insert url here> to
> C:\DOcuments and Settings\<insert User Name
> here>\Favorite\... etc" with a countdown time at the
> bottom. At the time out they get another message that
> basically tells them to contact the Network Admin because
> their profile could not be created on the machine. I
> don't have much authority over the User Domain accounts
> so I can't add them to specific OU except at the Local
> machine level but I have complete control over the
> machines themselves. Is this something that can be done
> via the GPO or Local Security Settings? Is there another
> MMC snap-in that I can use to duplicate this setting?
> This is the only way I've found so far to prevent users
> from logging into certain machines. The previous Network
> Admin can't remember what he did to activate this so I'm
> pretty much on my own. Thanks in advance for any and all
> help.
>
> Charles