Sign in with
Sign up | Sign in
Your question

Restrict Generic Logins

Last response: in Windows 2000/NT
Share
September 28, 2004 3:37:52 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

For some of our PCs, we use generic logins in which every user of the PC
signs in with the same username and password.

Quite often, users will sign on to these PCs with an Active Directory
account other than the generic one. As a result, configuration of the
desktop, printers, IE, and other programs are incorrect and users can't use
the programs they are supposed to use.

The network administrator and I have discussed implementing a policy setting
to restrict these PCs by allowing only administrators and the generic
account the logon local privilege - preventing users from signing on with
other accounts.

Since the default domain policy grants the Everyone group the logon local
privilege, we will have to apply this setting at the Active Directory level
rather than on the local PC.

Each PC will need its own policy because the generic account is different
for each PC. We will link these policies to a high level OU and then grant
access on each policy to only the PC account involved.

If anyone has suggestions or comments on this, let me know. If you have a
better way, I would be curious. Also, if you know of a way of doing it with
a single GPO, that would be helpful, too. Please note that we realize
generic accounts aren't the best way of doing things, but for the time being
we would like to solve this problem without getting rid of generic accounts.
Also, we are presently restricting the generic login to its corresponding PC
(Active Directory setting). The question at hand is restricting the PC to
the corresponding generic login.

Thanks,

Matt
Anonymous
September 28, 2004 8:10:29 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

In a default installation of Windows 2000 there are no user rights assigned
at the domain level, only in Domain Controller Security Policy. If you do
have it configured at the domain level you can undefine that user right and
run secedit /refreshpolicy machine_policy /enforce on the domain controller
and do the same on the domain member computers, wait for policy to propagate
[up to a couple of hours] or reboot them. The you should be able to
configure Local Security Policy on those computers and it will become their
effective policy for user rights for logon locally. I don't think it will
help in your situation but you can configure any user account in AD Users
and Computers to restrict the computer that a domain user can logon to. ---
Steve


"matt" <mkmitchell@hotmail.com> wrote in message
news:o M0s9xQpEHA.648@tk2msftngp13.phx.gbl...
> For some of our PCs, we use generic logins in which every user of the PC
> signs in with the same username and password.
>
> Quite often, users will sign on to these PCs with an Active Directory
> account other than the generic one. As a result, configuration of the
> desktop, printers, IE, and other programs are incorrect and users can't
> use the programs they are supposed to use.
>
> The network administrator and I have discussed implementing a policy
> setting to restrict these PCs by allowing only administrators and the
> generic account the logon local privilege - preventing users from signing
> on with other accounts.
>
> Since the default domain policy grants the Everyone group the logon local
> privilege, we will have to apply this setting at the Active Directory
> level rather than on the local PC.
>
> Each PC will need its own policy because the generic account is different
> for each PC. We will link these policies to a high level OU and then
> grant access on each policy to only the PC account involved.
>
> If anyone has suggestions or comments on this, let me know. If you have a
> better way, I would be curious. Also, if you know of a way of doing it
> with a single GPO, that would be helpful, too. Please note that we
> realize generic accounts aren't the best way of doing things, but for the
> time being we would like to solve this problem without getting rid of
> generic accounts. Also, we are presently restricting the generic login to
> its corresponding PC (Active Directory setting). The question at hand is
> restricting the PC to the corresponding generic login.
>
> Thanks,
>
> Matt
>
>
September 28, 2004 9:29:45 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Matt,
Not 100% sure what you are trying to do but what you can have a look at
is to create a GPO for that container and block the in heritance of the
Default Domain Group Policy and then under the GPO specify what rights
needs to be applied.

Hope it helps

matt wrote:
> *For some of our PCs, we use generic logins in which every user of
> the PC
> signs in with the same username and password.
>
> Quite often, users will sign on to these PCs with an Active
> Directory
> account other than the generic one. As a result, configuration of
> the
> desktop, printers, IE, and other programs are incorrect and users
> can't use
> the programs they are supposed to use.
>
> The network administrator and I have discussed implementing a policy
> setting
> to restrict these PCs by allowing only administrators and the
> generic
> account the logon local privilege - preventing users from signing on
> with
> other accounts.
>
> Since the default domain policy grants the Everyone group the logon
> local
> privilege, we will have to apply this setting at the Active Directory
> level
> rather than on the local PC.
>
> Each PC will need its own policy because the generic account is
> different
> for each PC. We will link these policies to a high level OU and then
> grant
> access on each policy to only the PC account involved.
>
> If anyone has suggestions or comments on this, let me know. If you
> have a
> better way, I would be curious. Also, if you know of a way of doing
> it with
> a single GPO, that would be helpful, too. Please note that we
> realize
> generic accounts aren't the best way of doing things, but for the
> time being
> we would like to solve this problem without getting rid of generic
> accounts.
> Also, we are presently restricting the generic login to its
> corresponding PC
> (Active Directory setting). The question at hand is restricting the
> PC to
> the corresponding generic login.
>
> Thanks,
>
> Matt *



--
columbus
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1104427.html
October 1, 2004 12:58:12 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Wouldn't it be better to still configure the Security Policy from AD rather
than on the local machine?

As I mentioned, I have already restricted the computer that a domain user
can logon to, but I'm trying to do the opposite; I want to restrict a
computer to only allow a certain domain user access.


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:Su56d.168690$3l3.168258@attbi_s03...
> In a default installation of Windows 2000 there are no user rights
assigned
> at the domain level, only in Domain Controller Security Policy. If you do
> have it configured at the domain level you can undefine that user right
and
> run secedit /refreshpolicy machine_policy /enforce on the domain
controller
> and do the same on the domain member computers, wait for policy to
propagate
> [up to a couple of hours] or reboot them. The you should be able to
> configure Local Security Policy on those computers and it will become
their
> effective policy for user rights for logon locally. I don't think it will
> help in your situation but you can configure any user account in AD Users
> and Computers to restrict the computer that a domain user can logon
o. ---
> Steve
>
>
> "matt" <mkmitchell@hotmail.com> wrote in message
> news:o M0s9xQpEHA.648@tk2msftngp13.phx.gbl...
> > For some of our PCs, we use generic logins in which every user of the PC
> > signs in with the same username and password.
> >
> > Quite often, users will sign on to these PCs with an Active Directory
> > account other than the generic one. As a result, configuration of the
> > desktop, printers, IE, and other programs are incorrect and users can't
> > use the programs they are supposed to use.
> >
> > The network administrator and I have discussed implementing a policy
> > setting to restrict these PCs by allowing only administrators and the
> > generic account the logon local privilege - preventing users from
signing
> > on with other accounts.
> >
> > Since the default domain policy grants the Everyone group the logon
local
> > privilege, we will have to apply this setting at the Active Directory
> > level rather than on the local PC.
> >
> > Each PC will need its own policy because the generic account is
different
> > for each PC. We will link these policies to a high level OU and then
> > grant access on each policy to only the PC account involved.
> >
> > If anyone has suggestions or comments on this, let me know. If you have
a
> > better way, I would be curious. Also, if you know of a way of doing it
> > with a single GPO, that would be helpful, too. Please note that we
> > realize generic accounts aren't the best way of doing things, but for
the
> > time being we would like to solve this problem without getting rid of
> > generic accounts. Also, we are presently restricting the generic login
to
> > its corresponding PC (Active Directory setting). The question at hand
is
> > restricting the PC to the corresponding generic login.
> >
> > Thanks,
> >
> > Matt
> >
> >
>
>
!