Limit domain login to Administrator Group

[peter]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

I have a windows 2000 domain controller. I have a bunch of win2k and
winxp computers as part of the domain.

Currently, each user is a part of their local administrator group on
their own machine (domain admin users are also part of the local
administrator group).

What I am trying to do is set up the network so that only people that
are part of the local administrator group on a particular box as
permitted to log in. I was able to figure out how to make this work
for local users, however, I could not make it work for domain users.

ex. computer name: Computer1
local account: localuser1
local account: localuser2
local account: administrator

The domain has the following user accounts.
domain account: domainaccount1
domain account: domainaccount2

Administrator Group on local machine has the following members:
localuser1
domainuser1
domainadmins
administrator


So, what I would like a policy that would meet the following
requirements:
1. localuser1 can login
2. localuser2 can not login
3. domainuser1 can login
4. domainuser2 can not login.

If someone could help me with this I would really appriciate it. I am
trying to prevent users from loging into other peoples workstations in
an attemt to evade security etc.

Thank you again,
Peter

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

It sounds like you're evading security in giving your users local admin
rights. That, and local accounts. If you have a domain presence, I would
use the domain accounts strictly. Nobody on my network has a local user
account on their computer--they don't even have the password to the local
admin account.

Your dilemma can be solved by setting the Log On To... attribute in the
user's account properties, under the Account tab. Just make sure the admin
accounts are left unrestricted--or they won't be able to support the
computers.

Good luck

Ken


"Peter" <peter.marshall@caris.com> wrote in message
news:df505181.0501311144.d65c7ea@posting.google.com...
> Hi,
>
> I have a windows 2000 domain controller. I have a bunch of win2k and
> winxp computers as part of the domain.
>
> Currently, each user is a part of their local administrator group on
> their own machine (domain admin users are also part of the local
> administrator group).
>
> What I am trying to do is set up the network so that only people that
> are part of the local administrator group on a particular box as
> permitted to log in. I was able to figure out how to make this work
> for local users, however, I could not make it work for domain users.
>
> ex. computer name: Computer1
> local account: localuser1
> local account: localuser2
> local account: administrator
>
> The domain has the following user accounts.
> domain account: domainaccount1
> domain account: domainaccount2
>
> Administrator Group on local machine has the following members:
> localuser1
> domainuser1
> domainadmins
> administrator
>
>
> So, what I would like a policy that would meet the following
> requirements:
> 1. localuser1 can login
> 2. localuser2 can not login
> 3. domainuser1 can login
> 4. domainuser2 can not login.
>
> If someone could help me with this I would really appriciate it. I am
> trying to prevent users from loging into other peoples workstations in
> an attemt to evade security etc.
>
> Thank you again,
> Peter