We have a few new XP Pro machines on our network, but no people to use them,
yet. What I'd like to do is set up the machines to only allow the domain
administrator to log into each XP machine. (If possible, even deny access to
the local administrator account.) i.e. Have each machine deny access to
Joe.Bob if he tries to login.

Then remove this 'block' when the pc is ready for a regular user.

Is this possible?

Courtney R wrote:

> We have a few new XP Pro machines on our network, but no people to use
> them,
> yet. What I'd like to do is set up the machines to only allow the
> domain
> administrator to log into each XP machine. (If possible, even deny
> access to
> the local administrator account.) i.e. Have each machine deny access
> to Joe.Bob if he tries to login.
>
> Then remove this 'block' when the pc is ready for a regular user.
>
> Is this possible?

AFAIK you can't remove the built-in local Administrator account, nor
would you want to. You don't have to create any secondary local
accounts.

Set strong passwords on your local and domain Administrator accounts
instead.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Our domain and local passwords are very strong, but this isn't really the
issue. The problem is that anyone with a domain account can sit down at one
of the new PC's and login. This is what I'm trying to avoid. Locking down
logins to ONLY the domain administrator on each new pc.

Anyone?

"Make" wrote:

> Courtney R wrote:
>
> > We have a few new XP Pro machines on our network, but no people to use
> > them,
> > yet. What I'd like to do is set up the machines to only allow the
> > domain
> > administrator to log into each XP machine. (If possible, even deny
> > access to
> > the local administrator account.) i.e. Have each machine deny access
> > to Joe.Bob if he tries to login.
> >
> > Then remove this 'block' when the pc is ready for a regular user.
> >
> > Is this possible?
>
> AFAIK you can't remove the built-in local Administrator account, nor
> would you want to. You don't have to create any secondary local
> accounts.
>
> Set strong passwords on your local and domain Administrator accounts
> instead.
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

Courtney R wrote:

> Our domain and local passwords are very strong, but this isn't really
> the
> issue. The problem is that anyone with a domain account can sit down
> at one
> of the new PC's and login. This is what I'm trying to avoid. Locking
> down logins to ONLY the domain administrator on each new pc.
>

This is not correct. Anyone with a domain *administrator's* account
could log in, certainly. However, you don't make your users domain
administrators do you? I hope not. If you don't trust the people you've
hired to be domain administrators - presumably just an IT person - then
you have issues that can't be solved technically. Please understand
that anyone with physical access to any computer can get into it if
they have time, skill, and a simple tool.

Spend some time at the Microsoft Technet site looking at best security
practices. Here is just one very useful link:
http://www.microsoft.com/technet/sec...s/default.mspx

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

I don't believe you have a grasp of what I'm trying to achieve.

There is only one domain administrator account on our network. I'm looking
for a registry setting, or other tool that will deny anyone from logging in,
except administrators. That will prevent 99% of our company users from
logging in.

I'm not worried/concerned about company users trying to get in via other
means that using the XP login prompt. I want to set it so XP will only
recognize one user name to login, and deny all others.

As it is now, any domain user can log in. And they are not administrators,
or part of the administrator group.

"Malke" wrote:

> Courtney R wrote:
>
> > Our domain and local passwords are very strong, but this isn't really
> > the
> > issue. The problem is that anyone with a domain account can sit down
> > at one
> > of the new PC's and login. This is what I'm trying to avoid. Locking
> > down logins to ONLY the domain administrator on each new pc.
> >
>
> This is not correct. Anyone with a domain *administrator's* account
> could log in, certainly. However, you don't make your users domain
> administrators do you? I hope not. If you don't trust the people you've
> hired to be domain administrators - presumably just an IT person - then
> you have issues that can't be solved technically. Please understand
> that anyone with physical access to any computer can get into it if
> they have time, skill, and a simple tool.
>
> Spend some time at the Microsoft Technet site looking at best security
> practices. Here is just one very useful link:
> http://www.microsoft.com/technet/sec...s/default.mspx
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

You can manage the user right for logon locally in Local Security Policy to
reflect only the users/groups that you want to be able to logon to the
computer. For instance I would specify administrators only which will
prevent all users but administrators from logging on locally. This will of
course allow local administrators the ability to logon also but I believe in
XP that is hard coded but you could then try adding machine
name\administrator to the user right for deny logon locally though it is not
something I would no myself. You can change those user rights when need
e. --- Steve



"Courtney R" <(E-Mail Removed)> wrote in message
news:878CB6C1-0B3A-4CBC-AC03-(E-Mail Removed)...
> We have a few new XP Pro machines on our network, but no people to use
> them,
> yet. What I'd like to do is set up the machines to only allow the domain
> administrator to log into each XP machine. (If possible, even deny access
> to
> the local administrator account.) i.e. Have each machine deny access to
> Joe.Bob if he tries to login.
>
> Then remove this 'block' when the pc is ready for a regular user.
>
> Is this possible?

Well that will help me out for local users, but not domain users who sit down
and log in. And that's pretty much everyone at the company, all are domain
users.

"Steven L Umbach" wrote:

> You can manage the user right for logon locally in Local Security Policy to
> reflect only the users/groups that you want to be able to logon to the
> computer. For instance I would specify administrators only which will
> prevent all users but administrators from logging on locally. This will of
> course allow local administrators the ability to logon also but I believe in
> XP that is hard coded but you could then try adding machine
> name\administrator to the user right for deny logon locally though it is not
> something I would no myself. You can change those user rights when need
> e. --- Steve
>
>
>
> "Courtney R" <(E-Mail Removed)> wrote in message
> news:878CB6C1-0B3A-4CBC-AC03-(E-Mail Removed)...
> > We have a few new XP Pro machines on our network, but no people to use
> > them,
> > yet. What I'd like to do is set up the machines to only allow the domain
> > administrator to log into each XP machine. (If possible, even deny access
> > to
> > the local administrator account.) i.e. Have each machine deny access to
> > Joe.Bob if he tries to login.
> >
> > Then remove this 'block' when the pc is ready for a regular user.
> >
> > Is this possible?
>
>
>

They would only be able to logon if they were also a local administrator of
the domain computer if the user right for logon locally specified only
administrators. Hopefully all your domain users are not local administrators
on every domain computer. By default members of the domain admins group are
also local administrators of domain computers so that would not exclude them
from logging onto the computer. --- Steve


"Courtney R" <(E-Mail Removed)> wrote in message
news:EF865534-9F23-4667-AE36-(E-Mail Removed)...
> Well that will help me out for local users, but not domain users who sit
> down
> and log in. And that's pretty much everyone at the company, all are
> domain
> users.
>
> "Steven L Umbach" wrote:
>
>> You can manage the user right for logon locally in Local Security Policy
>> to
>> reflect only the users/groups that you want to be able to logon to the
>> computer. For instance I would specify administrators only which will
>> prevent all users but administrators from logging on locally. This will
>> of
>> course allow local administrators the ability to logon also but I believe
>> in
>> XP that is hard coded but you could then try adding machine
>> name\administrator to the user right for deny logon locally though it is
>> not
>> something I would no myself. You can change those user rights when need
>> e. --- Steve
>>
>>
>>
>> "Courtney R" <(E-Mail Removed)> wrote in message
>> news:878CB6C1-0B3A-4CBC-AC03-(E-Mail Removed)...
>> > We have a few new XP Pro machines on our network, but no people to use
>> > them,
>> > yet. What I'd like to do is set up the machines to only allow the
>> > domain
>> > administrator to log into each XP machine. (If possible, even deny
>> > access
>> > to
>> > the local administrator account.) i.e. Have each machine deny access
>> > to
>> > Joe.Bob if he tries to login.
>> >
>> > Then remove this 'block' when the pc is ready for a regular user.
>> >
>> > Is this possible?
>>
>>
>>

Please forgive me if I sound rude or stern with this responce... But the
answers I have been getting are answers do not really apply to my problem.

I just want domain users to be prevented from logging into a certain XP Pro
machine. With the exception of the Domain administrator, or local
administrator account. Everyone else, 'Access Denied!'

Is there a way to do this? I looked in the Local Users & Groups, and there
isn't any function to deny access on a user level, or group level.

"Steven L Umbach" wrote:

> They would only be able to logon if they were also a local administrator of
> the domain computer if the user right for logon locally specified only
> administrators. Hopefully all your domain users are not local administrators
> on every domain computer. By default members of the domain admins group are
> also local administrators of domain computers so that would not exclude them
> from logging onto the computer. --- Steve
>
>
> "Courtney R" <(E-Mail Removed)> wrote in message
> news:EF865534-9F23-4667-AE36-(E-Mail Removed)...
> > Well that will help me out for local users, but not domain users who sit
> > down
> > and log in. And that's pretty much everyone at the company, all are
> > domain
> > users.
> >
> > "Steven L Umbach" wrote:
> >
> >> You can manage the user right for logon locally in Local Security Policy
> >> to
> >> reflect only the users/groups that you want to be able to logon to the
> >> computer. For instance I would specify administrators only which will
> >> prevent all users but administrators from logging on locally. This will
> >> of
> >> course allow local administrators the ability to logon also but I believe
> >> in
> >> XP that is hard coded but you could then try adding machine
> >> name\administrator to the user right for deny logon locally though it is
> >> not
> >> something I would no myself. You can change those user rights when need
> >> e. --- Steve
> >>
> >>
> >>
> >> "Courtney R" <(E-Mail Removed)> wrote in message
> >> news:878CB6C1-0B3A-4CBC-AC03-(E-Mail Removed)...
> >> > We have a few new XP Pro machines on our network, but no people to use
> >> > them,
> >> > yet. What I'd like to do is set up the machines to only allow the
> >> > domain
> >> > administrator to log into each XP machine. (If possible, even deny
> >> > access
> >> > to
> >> > the local administrator account.) i.e. Have each machine deny access
> >> > to
> >> > Joe.Bob if he tries to login.
> >> >
> >> > Then remove this 'block' when the pc is ready for a regular user.
> >> >
> >> > Is this possible?
> >>
> >>
> >>
>
>
>

Again the only way you can do that is by modifying the user rights for logon
locally and deny logon locally keeping in mind that the deny logon locally
user right overrides the allow logon locally user right. User rights are
managed via Local Security Policy under local policies/user rights. If you
can not change a user right via Local Security Policy then that user right
is being applied by a domain/OU Group Policy and would have to configured
via that GPO. By default users and other groups are included in the user
right to logon locally. If you remove all users/groups other than
administrators then only users/groups in the local administrators group on
that computer would be able to logon to it and everyone else would be denied
with a message that they do not have requires logon privilege for the
computer. In almost all enterprise networks that would be only members of
the domain admins group and the built in local administrator account which
means that all the other domain users would not be able to logon. Why would
that not work for you? --- Steve



"Courtney R" <(E-Mail Removed)> wrote in message
news:36126ACF-0F4F-4AAB-A3C0-(E-Mail Removed)...
> Please forgive me if I sound rude or stern with this responce... But the
> answers I have been getting are answers do not really apply to my problem.
>
> I just want domain users to be prevented from logging into a certain XP
> Pro
> machine. With the exception of the Domain administrator, or local
> administrator account. Everyone else, 'Access Denied!'
>
> Is there a way to do this? I looked in the Local Users & Groups, and
> there
> isn't any function to deny access on a user level, or group level.
>
> "Steven L Umbach" wrote:
>
>> They would only be able to logon if they were also a local administrator
>> of
>> the domain computer if the user right for logon locally specified only
>> administrators. Hopefully all your domain users are not local
>> administrators
>> on every domain computer. By default members of the domain admins group
>> are
>> also local administrators of domain computers so that would not exclude
>> them
>> from logging onto the computer. --- Steve
>>
>>
>> "Courtney R" <(E-Mail Removed)> wrote in message
>> news:EF865534-9F23-4667-AE36-(E-Mail Removed)...
>> > Well that will help me out for local users, but not domain users who
>> > sit
>> > down
>> > and log in. And that's pretty much everyone at the company, all are
>> > domain
>> > users.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> You can manage the user right for logon locally in Local Security
>> >> Policy
>> >> to
>> >> reflect only the users/groups that you want to be able to logon to the
>> >> computer. For instance I would specify administrators only which will
>> >> prevent all users but administrators from logging on locally. This
>> >> will
>> >> of
>> >> course allow local administrators the ability to logon also but I
>> >> believe
>> >> in
>> >> XP that is hard coded but you could then try adding machine
>> >> name\administrator to the user right for deny logon locally though it
>> >> is
>> >> not
>> >> something I would no myself. You can change those user rights when
>> >> need
>> >> e. --- Steve
>> >>
>> >>
>> >>
>> >> "Courtney R" <(E-Mail Removed)> wrote in message
>> >> news:878CB6C1-0B3A-4CBC-AC03-(E-Mail Removed)...
>> >> > We have a few new XP Pro machines on our network, but no people to
>> >> > use
>> >> > them,
>> >> > yet. What I'd like to do is set up the machines to only allow the
>> >> > domain
>> >> > administrator to log into each XP machine. (If possible, even deny
>> >> > access
>> >> > to
>> >> > the local administrator account.) i.e. Have each machine deny
>> >> > access
>> >> > to
>> >> > Joe.Bob if he tries to login.
>> >> >
>> >> > Then remove this 'block' when the pc is ready for a regular user.
>> >> >
>> >> > Is this possible?
>> >>
>> >>
>> >>
>>
>>
>>