In Domain environment,At the time of interactive logon in WinXP client pc we get 2 options in LOGON TO tab.
one is LOGON TO DOMAIN while the other is LOGON TO THIS PC.
Is it possible to remove the option LOGON TO THIS PC.
If yes then how?
Printable View
In Domain environment,At the time of interactive logon in WinXP client pc we get 2 options in LOGON TO tab.
one is LOGON TO DOMAIN while the other is LOGON TO THIS PC.
Is it possible to remove the option LOGON TO THIS PC.
If yes then how?
Hey. I don't think so that you can remove this only if you have Admin rights.
Is'nt it so that you can do this by using the local policies on the computer and adding the users who you want to deny the rights to logon locally to the "Deny logon locally" policy?
Or by using the Group Policy offcourse --> then Windows Settings --> local policies --> User Rights Assignment --> Deny logon locally
Then push this policy to your domain users.
I don't know if this makes the "logon to this pc" item dissapear but it stops the users from loggin on locally.
Hope this is somewhat clear ?
Anyone correct me if I'm wrong here, but that's the way I think I would work, there's probably better ways to do it :)
C.
If there are no local user accounts, people can't logon to the machine. This won't remove the option, but the functionality.
You might look into this article and links.
http://www.microsoft.com/resources/d...d_sec_quni.asp
Hey guys, what I want is to remove the logon option but not just denying them to logon locally.
Moreover you dont have the option either in local polices or group policies so that this option can be removed. But I heard that this is possible by making some changes in registry. Since registry being an integral part of the OS, is there any other way to achieve this goal so that the user should neither logon locally nor should be able to see LOGON TO THIS PC option at the time of interactive logon.
I know how to deny users so that they wont be able to logon locally.
But what if for some security reasons I dont want this option to be seen sothat noone can logon locally (including administrators, wherein the administrators would administer remotely)
If this is possible thru registry then can anyone say how this is possible???
The only way to make this happen is through a registry change. The registry is an important part of the OS, but large portions of it are nothing more than a repository for storing how you like your operating system configured - look and feel, etc. So a registry change is pretty common in a case like this.
Now, the "log on to this pc" requires an account that they know the password for on the PC. This password is not related to their active directory / domain password. Just having this option available doesn't mean that someone can take advantage of being able to log on to the computer.
Keep in mind, as well, that the local administrator account on the PC is the primary reason you would need the "log on to this computer" option. This account is important to have, for support reasons there are times you may need to log on to the local computer without authenticating against the domain.
Finally, be careful with the deny log on locally right. The security privilege "log on locally" is the right to log on from the console. So if you deny a user this right, they cannot log in on that machine using the keyboard. They'll get a message saying something like "the local policy does not permit you to log on interactively." If you're not careful, you'll lock out all of your accounts, domain and local.
hey guys but I dont think that the administrator would sit on the client pc for working and I certainly do agree that its not possible to restrict or deny some of the builtin accounts like admins, power users,etc. Moreover if u are denying administrator or the so called builtin accounts you could face some problems just as Timmy said and I feel that denying is not required if u are able to remove the option or at the worst case disabling that option.
If you are able to remove the option then certainly u will be able put it back at the time of requirement(I GUESS, since I'm not sure wether a registry of a remote system can be accessed or not but then I bet this could be achieved by using third party softwares.)
I thing I like to mention is I KNOW HOW TO DENY USERS AND TO DENY WHICH CONSOLE I NEED TO OPEN.
Once again plz dont teach me how to deny.
Well, let us make sure that you are not going to shoot yourself in the foot ;)Quote:
Once again plz dont teach me how to deny.
What exactly are you trying to achieve here? I mean your business objectives, not how to make your operating system do A or B or C.
Supposing that your network fails, or your servers, what are the users supposed to do?...sit there twiddling their thumbs and telephoning you every 30 seconds for a progress report?
What I am asking is do they/should they have any offline functionality?
I am sometimes in favour of options that users cannot access..............it demonstrates that there is a hierarchy, and that they are not quite where they thought :D
Hey no offline functionality is needed, moreover a admin need not do this on each and every pc but then this would be done only on those pc's where there's some important data or whatsoever is stored.
Moreover I dont think any admin would be such a fool that he would continue with this step without taking appropriate precautions.
Hey guys dont u think that we are a bit deviating from the topic???
Que?..................you said NO LOCAL ACCESS is required, so why are you wanting to store important things locally rather on the servers?Quote:
but then this would be done only on those pc's where there's some important data or whatsoever is stored.
So what precautions do you propose to take? In detail............no B/SQuote:
Moreover I dont think any admin would be such a fool that he would continue with this step without taking appropriate precautions.
:)
NO! I am finding it rather difficult to figure out what the topic actually is, other rhan some social engineeringQuote:
Hey guys dont u think that we are a bit deviating from the topic???
I am calling bullcrap on this one :D
I have to agree with nihil...looking over previous threads kranthi002 seems to lack an appreciation for those trying to assist him...especially in nihil's case, as nihil has apparently tried to help him in two other threads as well...
maybe if you ( kranthi002 ) were more forthwith and detailed in your questions, people who are trying to assist you ( FREE OF CHARGE ) would have a better understanding of what you want!
Oh...by the way...save the attitude for the people you are PAYING to help you.
Here'e your sign..
~cheers~Quote:
But what if for some security reasons I dont want this option to be seen sothat noone can logon locally (including administrators, wherein the administrators would administer remotely)
I have a good idea... just disconnect any keyboards, mice and monitors. Problem solved. No local access. What your doing is not feasible. I understand you want your admins to remotely administer the boxes, but I think you underestimate the need to locally access machines once in a while. Removing any way of accessing the system is the best way to limit access, don't you think?
Hi avdven ,
Exactly. if someone has physical access they can own it.
I firmly believe that the gentleman should revisit his Security Model and his policies. A top down rather than a bottom up approach.
Trying to apply security piecemeal by turning this off and not allowing that is very dangerous as you are certain to leave gaps and it lulls you into a false sense of security.
I have worked with environments where the destop is basically a dumb terminal served by a metaframe system (Citrix). In others the desktops were locked down. In both cases the only maintenance required was to unlplug a defective machine and plug in a new one, as they were all the same. No data was stored locally.
In other cases there is a requirement for local access. Generally to e-mail and word processing. Here, if the server or network went down the employees could be getting on with productive work offline.
I just cannot envisage the overall design or the functionality requirements here? :(
Anyone see someone trying to hide 'things' from the admin ?
Even if OP IS admin, why does the local access bite so bad ..........
sometimes you just gotta go in local
I feel the thread will die soon anyway
Maybe kranthi002, you could compile your next SE attempt in 'Word' and give details. LOTS of details.
It's our experience that those who give lots of detail have nothing to hide and are actually trying to do waht they've said they're trying do ...................
Ah well
thread killer is a coming :)