July 7th, 2005, 02:29 PM
In Domain environment,At the time of interactive logon in WinXP client pc we get 2 options in LOGON TO tab.
one is LOGON TO DOMAIN while the other is LOGON TO THIS PC.
Is it possible to remove the option LOGON TO THIS PC.
If yes then how?
July 7th, 2005, 02:40 PM
Hey. I don't think so that you can remove this only if you have Admin rights.
July 7th, 2005, 02:42 PM
Is'nt it so that you can do this by using the local policies on the computer and adding the users who you want to deny the rights to logon locally to the "Deny logon locally" policy?
Or by using the Group Policy offcourse --> then Windows Settings --> local policies --> User Rights Assignment --> Deny logon locally
Then push this policy to your domain users.
I don't know if this makes the "logon to this pc" item dissapear but it stops the users from loggin on locally.
Hope this is somewhat clear ?
Anyone correct me if I'm wrong here, but that's the way I think I would work, there's probably better ways to do it
Back when I was a boy, we carved our own IC's out of wood.
July 7th, 2005, 02:57 PM
If there are no local user accounts, people can't logon to the machine. This won't remove the option, but the functionality.
July 7th, 2005, 07:31 PM
July 8th, 2005, 01:29 PM
Hey guys, what I want is to remove the logon option but not just denying them to logon locally.
Moreover you dont have the option either in local polices or group policies so that this option can be removed. But I heard that this is possible by making some changes in registry. Since registry being an integral part of the OS, is there any other way to achieve this goal so that the user should neither logon locally nor should be able to see LOGON TO THIS PC option at the time of interactive logon.
July 8th, 2005, 01:36 PM
I know how to deny users so that they wont be able to logon locally.
But what if for some security reasons I dont want this option to be seen sothat noone can logon locally (including administrators, wherein the administrators would administer remotely)
If this is possible thru registry then can anyone say how this is possible???
July 8th, 2005, 01:40 PM
The only way to make this happen is through a registry change. The registry is an important part of the OS, but large portions of it are nothing more than a repository for storing how you like your operating system configured - look and feel, etc. So a registry change is pretty common in a case like this.
Now, the "log on to this pc" requires an account that they know the password for on the PC. This password is not related to their active directory / domain password. Just having this option available doesn't mean that someone can take advantage of being able to log on to the computer.
Keep in mind, as well, that the local administrator account on the PC is the primary reason you would need the "log on to this computer" option. This account is important to have, for support reasons there are times you may need to log on to the local computer without authenticating against the domain.
Finally, be careful with the deny log on locally right. The security privilege "log on locally" is the right to log on from the console. So if you deny a user this right, they cannot log in on that machine using the keyboard. They'll get a message saying something like "the local policy does not permit you to log on interactively." If you're not careful, you'll lock out all of your accounts, domain and local.
July 9th, 2005, 11:05 AM
hey guys but I dont think that the administrator would sit on the client pc for working and I certainly do agree that its not possible to restrict or deny some of the builtin accounts like admins, power users,etc. Moreover if u are denying administrator or the so called builtin accounts you could face some problems just as Timmy said and I feel that denying is not required if u are able to remove the option or at the worst case disabling that option.
If you are able to remove the option then certainly u will be able put it back at the time of requirement(I GUESS, since I'm not sure wether a registry of a remote system can be accessed or not but then I bet this could be achieved by using third party softwares.)
I thing I like to mention is I KNOW HOW TO DENY USERS AND TO DENY WHICH CONSOLE I NEED TO OPEN.
Once again plz dont teach me how to deny.
July 9th, 2005, 12:32 PM
Well, let us make sure that you are not going to shoot yourself in the foot
Once again plz dont teach me how to deny.
What exactly are you trying to achieve here? I mean your business objectives, not how to make your operating system do A or B or C.
Supposing that your network fails, or your servers, what are the users supposed to do?...sit there twiddling their thumbs and telephoning you every 30 seconds for a progress report?
What I am asking is do they/should they have any offline functionality?
I am sometimes in favour of options that users cannot access..............it demonstrates that there is a hierarchy, and that they are not quite where they thought