Logon restrictions

G

Guest

I have taken over a small network with a windows 2000 server domain
controller and windows 2000 pro clients. Currently, any user may logon to
any client system using their username and pw. This creates a local profile
and allows them use of the system. How can this be prevented, ie any given
user may only logon to their designated workstation?
 
R

Roger Abell

Use the User Right the is in W2k called "Log on locally"
to state the exact set of accounts allowed to log on at the
console of each machine.
 
M

Miha Pihler

Hi,

Roger answered how you can restrict the access. I would just like to warn
you that these settings could lock you out of your own system. Pay
attention when restricting access. If you will only add account named "BobS"
to "Allow logon locally" this setting will prevent (domain) administrators
to logon to the computer. Another example would be to add "Domain
Administrators" to "Allow Logon Locally" and add Domain Users to "Deny Logon
Locally". This will also prevent domain administrators to logon locally
since they are members of Domain Users group and Deny has priority over
allow. To do this last example correctly, you would only add "Domain
Administrators" to Allow logon locally. Since you didn't specify any other
groups under "Allow logon locally" any user not member of "domain
administrators" group will not be able to log on.

Mike
 
R

Roger Abell

Miha Pihler said:
Hi,

Roger answered how you can restrict the access. I would just like to warn
you that these settings could lock you out of your own system. Pay
attention when restricting access. If you will only add account named "BobS"
to "Allow logon locally" this setting will prevent (domain) administrators
to logon to the computer.
Click to expand...

Which might be a good thing in some environments :)
Another example would be to add "Domain
Administrators" to "Allow Logon Locally" and add Domain Users to "Deny Logon
Locally". This will also prevent domain administrators to logon locally
since they are members of Domain Users group and Deny has priority over
allow.
Click to expand...

Now, where it gets really nasty is when the person does this
to both Local logon and Network logon settings !!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

537 errors due to manual services being started 0
Logon to Windows 2000 2
User locked out with event 537 under type 11 logon 7
Security Log Help 9
Interactivity Logon not permitted 1
Password checking is running-please help 3
No password expiration alert when smart card logon is required 0
Auditing User logon/logoff events. 2

Top