Restrict Generic Logins
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.group_policy (More info?)
For some of our PCs, we use generic logins in which every user of the PC
signs in with the same username and password.
Quite often, users will sign on to these PCs with an Active Directory
account other than the generic one. As a result, configuration of the
desktop, printers, IE, and other programs are incorrect and users can't use
the programs they are supposed to use.
The network administrator and I have discussed implementing a policy setting
to restrict these PCs by allowing only administrators and the generic
account the logon local privilege - preventing users from signing on with
other accounts.
Since the default domain policy grants the Everyone group the logon local
privilege, we will have to apply this setting at the Active Directory level
rather than on the local PC.
Each PC will need its own policy because the generic account is different
for each PC. We will link these policies to a high level OU and then grant
access on each policy to only the PC account involved.
If anyone has suggestions or comments on this, let me know. If you have a
better way, I would be curious. Also, if you know of a way of doing it with
a single GPO, that would be helpful, too. Please note that we realize
generic accounts aren't the best way of doing things, but for the time being
we would like to solve this problem without getting rid of generic accounts.
Also, we are presently restricting the generic login to its corresponding PC
(Active Directory setting). The question at hand is restricting the PC to
the corresponding generic login.
Thanks,
Matt
For some of our PCs, we use generic logins in which every user of the PC
signs in with the same username and password.
Quite often, users will sign on to these PCs with an Active Directory
account other than the generic one. As a result, configuration of the
desktop, printers, IE, and other programs are incorrect and users can't use
the programs they are supposed to use.
The network administrator and I have discussed implementing a policy setting
to restrict these PCs by allowing only administrators and the generic
account the logon local privilege - preventing users from signing on with
other accounts.
Since the default domain policy grants the Everyone group the logon local
privilege, we will have to apply this setting at the Active Directory level
rather than on the local PC.
Each PC will need its own policy because the generic account is different
for each PC. We will link these policies to a high level OU and then grant
access on each policy to only the PC account involved.
If anyone has suggestions or comments on this, let me know. If you have a
better way, I would be curious. Also, if you know of a way of doing it with
a single GPO, that would be helpful, too. Please note that we realize
generic accounts aren't the best way of doing things, but for the time being
we would like to solve this problem without getting rid of generic accounts.
Also, we are presently restricting the generic login to its corresponding PC
(Active Directory setting). The question at hand is restricting the PC to
the corresponding generic login.
Thanks,
Matt
More about : restrict generic logins
Archived from groups: microsoft.public.win2000.group_policy (More info?)
In a default installation of Windows 2000 there are no user rights assigned
at the domain level, only in Domain Controller Security Policy. If you do
have it configured at the domain level you can undefine that user right and
run secedit /refreshpolicy machine_policy /enforce on the domain controller
and do the same on the domain member computers, wait for policy to propagate
[up to a couple of hours] or reboot them. The you should be able to
configure Local Security Policy on those computers and it will become their
effective policy for user rights for logon locally. I don't think it will
help in your situation but you can configure any user account in AD Users
and Computers to restrict the computer that a domain user can logon to. ---
Steve
"matt" <mkmitchell@hotmail.com> wrote in message
news![:o]( ":o")
M0s9xQpEHA.648@tk2msftngp13.phx.gbl...
> For some of our PCs, we use generic logins in which every user of the PC
> signs in with the same username and password.
>
> Quite often, users will sign on to these PCs with an Active Directory
> account other than the generic one. As a result, configuration of the
> desktop, printers, IE, and other programs are incorrect and users can't
> use the programs they are supposed to use.
>
> The network administrator and I have discussed implementing a policy
> setting to restrict these PCs by allowing only administrators and the
> generic account the logon local privilege - preventing users from signing
> on with other accounts.
>
> Since the default domain policy grants the Everyone group the logon local
> privilege, we will have to apply this setting at the Active Directory
> level rather than on the local PC.
>
> Each PC will need its own policy because the generic account is different
> for each PC. We will link these policies to a high level OU and then
> grant access on each policy to only the PC account involved.
>
> If anyone has suggestions or comments on this, let me know. If you have a
> better way, I would be curious. Also, if you know of a way of doing it
> with a single GPO, that would be helpful, too. Please note that we
> realize generic accounts aren't the best way of doing things, but for the
> time being we would like to solve this problem without getting rid of
> generic accounts. Also, we are presently restricting the generic login to
> its corresponding PC (Active Directory setting). The question at hand is
> restricting the PC to the corresponding generic login.
>
> Thanks,
>
> Matt
>
>
In a default installation of Windows 2000 there are no user rights assigned
at the domain level, only in Domain Controller Security Policy. If you do
have it configured at the domain level you can undefine that user right and
run secedit /refreshpolicy machine_policy /enforce on the domain controller
and do the same on the domain member computers, wait for policy to propagate
[up to a couple of hours] or reboot them. The you should be able to
configure Local Security Policy on those computers and it will become their
effective policy for user rights for logon locally. I don't think it will
help in your situation but you can configure any user account in AD Users
and Computers to restrict the computer that a domain user can logon to. ---
Steve
"matt" <mkmitchell@hotmail.com> wrote in message
news
M0s9xQpEHA.648@tk2msftngp13.phx.gbl...> For some of our PCs, we use generic logins in which every user of the PC
> signs in with the same username and password.
>
> Quite often, users will sign on to these PCs with an Active Directory
> account other than the generic one. As a result, configuration of the
> desktop, printers, IE, and other programs are incorrect and users can't
> use the programs they are supposed to use.
>
> The network administrator and I have discussed implementing a policy
> setting to restrict these PCs by allowing only administrators and the
> generic account the logon local privilege - preventing users from signing
> on with other accounts.
>
> Since the default domain policy grants the Everyone group the logon local
> privilege, we will have to apply this setting at the Active Directory
> level rather than on the local PC.
>
> Each PC will need its own policy because the generic account is different
> for each PC. We will link these policies to a high level OU and then
> grant access on each policy to only the PC account involved.
>
> If anyone has suggestions or comments on this, let me know. If you have a
> better way, I would be curious. Also, if you know of a way of doing it
> with a single GPO, that would be helpful, too. Please note that we
> realize generic accounts aren't the best way of doing things, but for the
> time being we would like to solve this problem without getting rid of
> generic accounts. Also, we are presently restricting the generic login to
> its corresponding PC (Active Directory setting). The question at hand is
> restricting the PC to the corresponding generic login.
>
> Thanks,
>
> Matt
>
>
Archived from groups: microsoft.public.win2000.group_policy (More info?)
Hi Matt,
Not 100% sure what you are trying to do but what you can have a look at
is to create a GPO for that container and block the in heritance of the
Default Domain Group Policy and then under the GPO specify what rights
needs to be applied.
Hope it helps
matt wrote:
> *For some of our PCs, we use generic logins in which every user of
> the PC
> signs in with the same username and password.
>
> Quite often, users will sign on to these PCs with an Active
> Directory
> account other than the generic one. As a result, configuration of
> the
> desktop, printers, IE, and other programs are incorrect and users
> can't use
> the programs they are supposed to use.
>
> The network administrator and I have discussed implementing a policy
> setting
> to restrict these PCs by allowing only administrators and the
> generic
> account the logon local privilege - preventing users from signing on
> with
> other accounts.
>
> Since the default domain policy grants the Everyone group the logon
> local
> privilege, we will have to apply this setting at the Active Directory
> level
> rather than on the local PC.
>
> Each PC will need its own policy because the generic account is
> different
> for each PC. We will link these policies to a high level OU and then
> grant
> access on each policy to only the PC account involved.
>
> If anyone has suggestions or comments on this, let me know. If you
> have a
> better way, I would be curious. Also, if you know of a way of doing
> it with
> a single GPO, that would be helpful, too. Please note that we
> realize
> generic accounts aren't the best way of doing things, but for the
> time being
> we would like to solve this problem without getting rid of generic
> accounts.
> Also, we are presently restricting the generic login to its
> corresponding PC
> (Active Directory setting). The question at hand is restricting the
> PC to
> the corresponding generic login.
>
> Thanks,
>
> Matt *
--
columbus
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1104427.html
Hi Matt,
Not 100% sure what you are trying to do but what you can have a look at
is to create a GPO for that container and block the in heritance of the
Default Domain Group Policy and then under the GPO specify what rights
needs to be applied.
Hope it helps
matt wrote:
> *For some of our PCs, we use generic logins in which every user of
> the PC
> signs in with the same username and password.
>
> Quite often, users will sign on to these PCs with an Active
> Directory
> account other than the generic one. As a result, configuration of
> the
> desktop, printers, IE, and other programs are incorrect and users
> can't use
> the programs they are supposed to use.
>
> The network administrator and I have discussed implementing a policy
> setting
> to restrict these PCs by allowing only administrators and the
> generic
> account the logon local privilege - preventing users from signing on
> with
> other accounts.
>
> Since the default domain policy grants the Everyone group the logon
> local
> privilege, we will have to apply this setting at the Active Directory
> level
> rather than on the local PC.
>
> Each PC will need its own policy because the generic account is
> different
> for each PC. We will link these policies to a high level OU and then
> grant
> access on each policy to only the PC account involved.
>
> If anyone has suggestions or comments on this, let me know. If you
> have a
> better way, I would be curious. Also, if you know of a way of doing
> it with
> a single GPO, that would be helpful, too. Please note that we
> realize
> generic accounts aren't the best way of doing things, but for the
> time being
> we would like to solve this problem without getting rid of generic
> accounts.
> Also, we are presently restricting the generic login to its
> corresponding PC
> (Active Directory setting). The question at hand is restricting the
> PC to
> the corresponding generic login.
>
> Thanks,
>
> Matt *
--
columbus
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1104427.html
Archived from groups: microsoft.public.win2000.group_policy (More info?)
Wouldn't it be better to still configure the Security Policy from AD rather
than on the local machine?
As I mentioned, I have already restricted the computer that a domain user
can logon to, but I'm trying to do the opposite; I want to restrict a
computer to only allow a certain domain user access.
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:Su56d.168690$3l3.168258@attbi_s03...
> In a default installation of Windows 2000 there are no user rights
assigned
> at the domain level, only in Domain Controller Security Policy. If you do
> have it configured at the domain level you can undefine that user right
and
> run secedit /refreshpolicy machine_policy /enforce on the domain
controller
> and do the same on the domain member computers, wait for policy to
propagate
> [up to a couple of hours] or reboot them. The you should be able to
> configure Local Security Policy on those computers and it will become
their
> effective policy for user rights for logon locally. I don't think it will
> help in your situation but you can configure any user account in AD Users
> and Computers to restrict the computer that a domain user can logon
o. ---
> Steve
>
>
> "matt" <mkmitchell@hotmail.com> wrote in message
> news![:o]( ":o")
M0s9xQpEHA.648@tk2msftngp13.phx.gbl...
> > For some of our PCs, we use generic logins in which every user of the PC
> > signs in with the same username and password.
> >
> > Quite often, users will sign on to these PCs with an Active Directory
> > account other than the generic one. As a result, configuration of the
> > desktop, printers, IE, and other programs are incorrect and users can't
> > use the programs they are supposed to use.
> >
> > The network administrator and I have discussed implementing a policy
> > setting to restrict these PCs by allowing only administrators and the
> > generic account the logon local privilege - preventing users from
signing
> > on with other accounts.
> >
> > Since the default domain policy grants the Everyone group the logon
local
> > privilege, we will have to apply this setting at the Active Directory
> > level rather than on the local PC.
> >
> > Each PC will need its own policy because the generic account is
different
> > for each PC. We will link these policies to a high level OU and then
> > grant access on each policy to only the PC account involved.
> >
> > If anyone has suggestions or comments on this, let me know. If you have
a
> > better way, I would be curious. Also, if you know of a way of doing it
> > with a single GPO, that would be helpful, too. Please note that we
> > realize generic accounts aren't the best way of doing things, but for
the
> > time being we would like to solve this problem without getting rid of
> > generic accounts. Also, we are presently restricting the generic login
to
> > its corresponding PC (Active Directory setting). The question at hand
is
> > restricting the PC to the corresponding generic login.
> >
> > Thanks,
> >
> > Matt
> >
> >
>
>
Wouldn't it be better to still configure the Security Policy from AD rather
than on the local machine?
As I mentioned, I have already restricted the computer that a domain user
can logon to, but I'm trying to do the opposite; I want to restrict a
computer to only allow a certain domain user access.
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:Su56d.168690$3l3.168258@attbi_s03...
> In a default installation of Windows 2000 there are no user rights
assigned
> at the domain level, only in Domain Controller Security Policy. If you do
> have it configured at the domain level you can undefine that user right
and
> run secedit /refreshpolicy machine_policy /enforce on the domain
controller
> and do the same on the domain member computers, wait for policy to
propagate
> [up to a couple of hours] or reboot them. The you should be able to
> configure Local Security Policy on those computers and it will become
their
> effective policy for user rights for logon locally. I don't think it will
> help in your situation but you can configure any user account in AD Users
> and Computers to restrict the computer that a domain user can logon
o. ---
> Steve
>
>
> "matt" <mkmitchell@hotmail.com> wrote in message
> news
M0s9xQpEHA.648@tk2msftngp13.phx.gbl...> > For some of our PCs, we use generic logins in which every user of the PC
> > signs in with the same username and password.
> >
> > Quite often, users will sign on to these PCs with an Active Directory
> > account other than the generic one. As a result, configuration of the
> > desktop, printers, IE, and other programs are incorrect and users can't
> > use the programs they are supposed to use.
> >
> > The network administrator and I have discussed implementing a policy
> > setting to restrict these PCs by allowing only administrators and the
> > generic account the logon local privilege - preventing users from
signing
> > on with other accounts.
> >
> > Since the default domain policy grants the Everyone group the logon
local
> > privilege, we will have to apply this setting at the Active Directory
> > level rather than on the local PC.
> >
> > Each PC will need its own policy because the generic account is
different
> > for each PC. We will link these policies to a high level OU and then
> > grant access on each policy to only the PC account involved.
> >
> > If anyone has suggestions or comments on this, let me know. If you have
a
> > better way, I would be curious. Also, if you know of a way of doing it
> > with a single GPO, that would be helpful, too. Please note that we
> > realize generic accounts aren't the best way of doing things, but for
the
> > time being we would like to solve this problem without getting rid of
> > generic accounts. Also, we are presently restricting the generic login
to
> > its corresponding PC (Active Directory setting). The question at hand
is
> > restricting the PC to the corresponding generic login.
> >
> > Thanks,
> >
> > Matt
> >
> >
>
>
Related ressources:
- ForumRestrict user login time for Fedora 17
- ForumHow to restrict use of a pc to one domain user only.
- ForumRestrict domain user to one login .
- ForumRestrict login based on IP
- ForumCreating User Logins - Administrator disappeared...
- ForumLimiting concurrent logins
- ForumRestrict User Login from 1 PC to domain/pc
- ForumIs every user a member of Users?
- ForumGeneric User Logons and Disconnects
- ForumLog-in error: " Generic Host Process for Win32 Services"
- ForumRestrict a port access to particular ip in linux
- ForumHow to restrict access to just Files, not Folders
- ForumWindows XP time sensitive logins
- ForumRestrict no of logons per user
- ForumRestrict folder access of Guest
- ForumRestrict access to servers
- ForumHow to setup a Network Server for Computers in a Small School
- ForumParallel and com ports not appearing in device manager
- ForumHow To Restrict Network Exploration
- ForumHow to restrict non administrators from accessing MMC from..
- More resources
!
