Keeping a Domain User Off Other Machines
Results 1 to 5 of 5

Thread: Keeping a Domain User Off Other Machines

Hybrid View

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    127

    Angry Keeping a Domain User Off Other Machines

    I have a user on a network that has local admin rights. Other users in the office are running as Users. The problem is that this admin user is logging on other machines and installing software. Due to company politics, his boss will not tell him to stop, I am only allowed to block his access to the other machines. I looked online but couldn't find the procedure to deny access by machine to a particular user using the AD. Anyone know how to do this or can point me in the right direction.

    Windows Server 2012 Domain
    Windows 7 and XP Workstations
    sandwich.

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    127
    Nevermind. Found the answer.

    In the properties for the user in the Active Directory, go to the account tab and select the "Logon To..." button. There you can specify access to specific machines only.
    sandwich.

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    On various finance and IT machines I remove domain users access explicitly on the machine .... by default MS allows users to log into all domain workstations.. when joining the domain it adds domain users to the local user group, domain admins and administrator to the local administrator group. I remove all except for the specific user and all powerful domain administrator.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    I'm just thinking of the OU layout I had back then as it been a few years... but I found it worked very well for applying policies.

    Site
    -Users
    --Students
    ---Year/Grade (OU for each K-12)
    --Staff
    ---Departments (OU for each)
    -Machines
    --Students
    ---Location/Lab/Wing (OU for each)
    --Staff
    ---Location/Department (OU for each)
    -Security Groups
    --(almost identical layout to the user and machines OUs.... yes I had groups for the machines aswell)
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  5. #5
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    I employed another method of doing this in a large school; after using a naming convention on all machines (which an 'S' at the end of the name indicated a student use machine) it made it easy to organise AD into a decent OU layout.

    Using group policy applied to either the student machines OU (or using policy filtering for any machine without *S) denied logon locally to a security group that had all students... In large networks I often use group nesting for granulated policies so 'students' group contained no users but another set of groups which may have again contained no users but another set of groups until the groups actually had the users listed.

    I also had the staff machines grouped into departments (teaching, admin, finance) and used group policy to add the ONLY that department staff admin rights to ONLY that departments machines (group nesting for the Win again). Although any staff could log on to any machine, admin rights were granted only to the staff whom belonged to that department.

    Group nesting may seem like needless work; but when comes to future changes like adding a new user to the domain; you only need to add said user to a single group and every group policy is applied... no need to find 10 policies and add this new user to them etc. Its very late here I hope anyone reading this understands the concept without enumerating the whole benefit.... just ask I will go into complete detail - this is partly the fall down with using the Log on to option IMO.

    ...

    Sadly the fall down in your case is that if the user is granted admin rights to any PC; you are restricting which machines they can log on to using their own account. If it was me and I wanted to install software; I'd login, create a local admin account and use that account to install software
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

Similar Threads

  1. Domain user remotely access his desktop via RDP
    By zillah in forum Operating Systems
    Replies: 12
    Last Post: December 24th, 2009, 12:57 PM
  2. How Do I Create Domain User
    By D3V!L in forum Newbie Security Questions
    Replies: 4
    Last Post: September 27th, 2006, 02:01 PM
  3. User Profiles In A Windows XP Domain COntroller
    By FallenZer0 in forum Operating Systems
    Replies: 6
    Last Post: October 20th, 2004, 01:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides