-
March 29th, 2005, 11:13 PM
#1
restrict logon?
Background:
windows 2k pro workstation
name: central2
windows 2k server environment
problem:
want to take the workstation and set it up so that only one person, janedoe and administrators group, can access this workstation.
I am looking for how to do this. I thought there was a way to create a gpo on an OU that would do this but the only option I could find was the logon locally option which didnt seem to do anything for me.
I need to know how, not "do it with a GPO"
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
here
-
March 29th, 2005, 11:18 PM
#2
Senior Member
disable all other groups ? Or delete all other groups I guess. If you're not going to use them then I guess there's no point in having them. Only admins create users so once you have janedoe and the administrator account, I don't see how any other unauthorized person can access the workstation. Unless you're talking about accessing the workstation via network then... I'll have to get back to you on that
-
March 29th, 2005, 11:23 PM
#3
Senior Member
or that. Hi Mittens
-
March 29th, 2005, 11:24 PM
#4
What about the Security Configuration Manager (specifically User Rights Assignment section?)
-
March 30th, 2005, 12:38 AM
#5
Did you try the "Deny logon locally" option?
Be carefull when you play with that option by the way.
-
March 30th, 2005, 02:20 AM
#6
the deny logon locally option has to be set from the computer though right?
and then do I just deny everyone but administrators and this one user?
The problem is I have about 40 users at this site and its kind of a pain in the arse to have to add everyone to a new group to just deny that one group. I was kind of looking for a gpo driven option to make it easier
I guess worst case 40 ppl isnt that many just still a pain.
I mean I guess I could also go through and remove permissions to every directory and only have administrators and janedoe on the directories
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
here
-
March 30th, 2005, 03:44 AM
#7
Does that work on domain users too or only if you try to logon locally?
It works on domain users if your computer is part of a domain.
You can push the "deny login locally" policies by GPO also but do you really want to push the same GPO to all 40 computers? Basically, only one users will being able to log to this 40 computers?
Another solution that you could test if the "allow logon locally" policies overwrite the "deny logon locally". I'm not sure witch one win. I think the deny will win but you should give it a try.
P.S. Don't remove the NTFS permission, Windows is very touchy about that is NTFS permission!
-
March 30th, 2005, 01:28 PM
#8
i was hoping with a GPO i could just put that one computer into its own OU and just roll out the GPO on that PC but I couldnt find the deny logon locally option within the GPO section. I will try deny logon locally on the pc and see if it will work.
FYI as you thought the deny overrides the allow which is too bad cause it would be great to just deny everyone and add the others. But it appears as if redundancy is the only way to go about it. I won't be to my clients location until later this week but i will let you know if this works
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
here
-
March 30th, 2005, 01:47 PM
#9
spyrus, due the caracteristcs of Windows AD, you will need to deny everbody else the access to that workstation, since everybody has access to all domain station by default. Since there is no built in group that contain everybody else but this user, you have no luck on this matter
Even if you try to lock Root directory (C:\) you will need to exclude everybody else, so you will be back at the first problem (deny everybody)
What you are trying to do isnt on the "GPO Domain", is more likely to "User rights Domain". So you need to use WIndows security to do that. You need to deny "Interactive Logon" on that station.
If you get another solution (except deny everybody else), please let us know.
Meu sÃtio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
March 30th, 2005, 02:46 PM
#10
Spyrus, check my image to see the deny logon locally from GPO. (This was take on Windows 2003). Not sure if it work on 2K
By the way, I use the Group Policy Management Console
http://www.microsoft.com/windowsserv...gpmcintro.mspx
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|