Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: restrict logon?

  1. #1
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741

    restrict logon?

    Background:

    windows 2k pro workstation
    name: central2

    windows 2k server environment


    problem:
    want to take the workstation and set it up so that only one person, janedoe and administrators group, can access this workstation.

    I am looking for how to do this. I thought there was a way to create a gpo on an OU that would do this but the only option I could find was the logon locally option which didnt seem to do anything for me.

    I need to know how, not "do it with a GPO"
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  2. #2
    Senior Member
    Join Date
    Aug 2001
    Posts
    112
    disable all other groups ? Or delete all other groups I guess. If you're not going to use them then I guess there's no point in having them. Only admins create users so once you have janedoe and the administrator account, I don't see how any other unauthorized person can access the workstation. Unless you're talking about accessing the workstation via network then... I'll have to get back to you on that
    Viper

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    112
    or that. Hi Mittens
    Viper

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    What about the Security Configuration Manager (specifically User Rights Assignment section?)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Did you try the "Deny logon locally" option?

    Be carefull when you play with that option by the way.
    -Simon \"SDK\"

  6. #6
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    the deny logon locally option has to be set from the computer though right?
    and then do I just deny everyone but administrators and this one user?

    The problem is I have about 40 users at this site and its kind of a pain in the arse to have to add everyone to a new group to just deny that one group. I was kind of looking for a gpo driven option to make it easier

    I guess worst case 40 ppl isnt that many just still a pain.

    I mean I guess I could also go through and remove permissions to every directory and only have administrators and janedoe on the directories
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  7. #7
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Does that work on domain users too or only if you try to logon locally?
    It works on domain users if your computer is part of a domain.

    You can push the "deny login locally" policies by GPO also but do you really want to push the same GPO to all 40 computers? Basically, only one users will being able to log to this 40 computers?

    Another solution that you could test if the "allow logon locally" policies overwrite the "deny logon locally". I'm not sure witch one win. I think the deny will win but you should give it a try.

    P.S. Don't remove the NTFS permission, Windows is very touchy about that is NTFS permission!
    -Simon \"SDK\"

  8. #8
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    i was hoping with a GPO i could just put that one computer into its own OU and just roll out the GPO on that PC but I couldnt find the deny logon locally option within the GPO section. I will try deny logon locally on the pc and see if it will work.

    FYI as you thought the deny overrides the allow which is too bad cause it would be great to just deny everyone and add the others. But it appears as if redundancy is the only way to go about it. I won't be to my clients location until later this week but i will let you know if this works
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  9. #9
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    spyrus, due the caracteristcs of Windows AD, you will need to deny everbody else the access to that workstation, since everybody has access to all domain station by default. Since there is no built in group that contain everybody else but this user, you have no luck on this matter
    Even if you try to lock Root directory (C:\) you will need to exclude everybody else, so you will be back at the first problem (deny everybody)
    What you are trying to do isnt on the "GPO Domain", is more likely to "User rights Domain". So you need to use WIndows security to do that. You need to deny "Interactive Logon" on that station.
    If you get another solution (except deny everybody else), please let us know.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  10. #10
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Spyrus, check my image to see the deny logon locally from GPO. (This was take on Windows 2003). Not sure if it work on 2K

    By the way, I use the Group Policy Management Console
    http://www.microsoft.com/windowsserv...gpmcintro.mspx
    -Simon \"SDK\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •