Archived from groups: microsoft.public.win2000.security (
More info?)
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:OFRCB793EHA.3000@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> Roger answered how you can restrict the access. I would just like to warn
> you that these settings could lock you out of your own system. Pay
> attention when restricting access. If you will only add account named
"BobS"
> to "Allow logon locally" this setting will prevent (domain) administrators
> to logon to the computer.
Which might be a good thing in some environments
> Another example would be to add "Domain
> Administrators" to "Allow Logon Locally" and add Domain Users to "Deny
Logon
> Locally". This will also prevent domain administrators to logon locally
> since they are members of Domain Users group and Deny has priority over
> allow.
Now, where it gets really nasty is when the person does this
to both Local logon and Network logon settings !!
> To do this last example correctly, you would only add "Domain
> Administrators" to Allow logon locally. Since you didn't specify any other
> groups under "Allow logon locally" any user not member of "domain
> administrators" group will not be able to log on.
>
> Mike
>
> "Byteboy" <Byteboy@discussions.microsoft.com> wrote in message
> news:803C1C91-832B-4815-ACEC-ACF579603D97@microsoft.com...
> >I have taken over a small network with a windows 2000 server domain
> > controller and windows 2000 pro clients. Currently, any user may logon
to
> > any client system using their username and pw. This creates a local
> > profile
> > and allows them use of the system. How can this be prevented, ie any
> > given
> > user may only logon to their designated workstation?
>
>