2000: disallow workgroup users except those specified

[Timber]

I have a machine on my network (peer-to-peer workgroup)
running 2000 Professional which will allow any user from
that workgroup to log on to it, regardless of whether they
have an existing login defined in Users and Passwords. Is
there any way to change this?
I want only specified users to be able to log on to this
machine.

 

[Steven L Umbach]

I asume you mean network logon as accessing a share?? You can not logon to a
machine locally at the console unless you have a user account to
authenticate against the local sam [unless autologon is enabled]. My guess
is that the guest account may be enabled on the machine offering shares in
which case any network user can access it. If it is enabled, disable via
lusrmgr.msc [enter in run box] and select users/guest account and then
disable it. --- Steve

 

[Timber]

I'm sorry, I didn't explain well. I have a machine
running NT 4.0 Server that is a part of the workgroup.
My 2000 allows any person locally at it to log on to
either (this computer) or to the workgroup.
If they choose to log on to the workgroup, any user
defined on the NT 4.0 Server can log on to the 2000
without being defined in it's Users and Passwords.

-----Original Message-----
I asume you mean network logon as accessing a share?? You can not logon to a
machine locally at the console unless you have a user account to
authenticate against the local sam [unless autologon is enabled]. My guess
is that the guest account may be enabled on the machine offering shares in
which case any network user can access it. If it is enabled, disable via
lusrmgr.msc [enter in run box] and select users/guest account and then
disable it. --- Steve

I have a machine on my network (peer-to-peer workgroup)
running 2000 Professional which will allow any user from
that workgroup to log on to it, regardless of whether they
have an existing login defined in Users and Passwords. Is
there any way to change this?
I want only specified users to be able to log on to this
machine.

.

 

[Timber]

Btw--> the guest account is already disabled.
In case you're right, is there any way to disable the
Guest group? I'm not seeing that option.

-----Original Message-----
I asume you mean network logon as accessing a share?? You can not logon to a
machine locally at the console unless you have a user account to
authenticate against the local sam [unless autologon is enabled]. My guess
is that the guest account may be enabled on the machine offering shares in
which case any network user can access it. If it is enabled, disable via
lusrmgr.msc [enter in run box] and select users/guest account and then
disable it. --- Steve

I have a machine on my network (peer-to-peer workgroup)
running 2000 Professional which will allow any user from
that workgroup to log on to it, regardless of whether they
have an existing login defined in Users and Passwords. Is
there any way to change this?
I want only specified users to be able to log on to this
machine.

.

 

[Steven L Umbach]

I am still confused. There are two types of normal use logon. Interactive/console
where a user logs onto the local computer entering their logon name and password to
get access, or network where a user already logged onto a local computer tries to
access a network share on another computer. There is not a workgroup logon per se. A
user logged onto a local computer will need to have credentials to access a share on
a network computer, either their logged on credentials or they will be prompted for
credentials to access the share if their user account that they are logged onto the
local computer does not exist on the target computer offering the share. However if
the computer offering the share has the guest account enabled and the share/ntfs
permissions include the everyone group then anyone from anywhere will get access even
if they do not have a user account on the computer offering the share. --- Steve

I'm sorry, I didn't explain well. I have a machine
running NT 4.0 Server that is a part of the workgroup.
My 2000 allows any person locally at it to log on to
either (this computer) or to the workgroup.
If they choose to log on to the workgroup, any user
defined on the NT 4.0 Server can log on to the 2000
without being defined in it's Users and Passwords.

-----Original Message-----
I asume you mean network logon as accessing a share?? You can not logon to a
machine locally at the console unless you have a user account to
authenticate against the local sam [unless autologon is enabled]. My guess
is that the guest account may be enabled on the machine offering shares in
which case any network user can access it. If it is enabled, disable via
lusrmgr.msc [enter in run box] and select users/guest account and then
disable it. --- Steve

I have a machine on my network (peer-to-peer workgroup)
running 2000 Professional which will allow any user from
that workgroup to log on to it, regardless of whether they
have an existing login defined in Users and Passwords. Is
there any way to change this?
I want only specified users to be able to log on to this
machine.

.

 

[Timber]

I'm not concerned about the computer's shares. I'm
speaking about a person physically logging onto this
specific PC/console.
They are given a choice at the Log on to Windows
screen "Log on to [pull-down menu]"; our workgroup (which
is managed by our NT 4.0 Server) is allowed as a choice in
this pull-down menu. If they are recognized as a user
defined in the NT Server, this physical windows 2000 PC
will allow them to log on to it, even though they are not
defined as a user in the PC's User and Password settings.
Is there any way to stop this?

-----Original Message-----
I am still confused. There are two types of normal use logon. Interactive/console
where a user logs onto the local computer entering their logon name and password to
get access, or network where a user already logged onto a local computer tries to
access a network share on another computer. There is not a workgroup logon per se. A
user logged onto a local computer will need to have

credentials to access a share on

a network computer, either their logged on credentials or they will be prompted for
credentials to access the share if their user account that they are logged onto the
local computer does not exist on the target computer offering the share. However if
the computer offering the share has the guest account enabled and the share/ntfs
permissions include the everyone group then anyone from anywhere will get access even
if they do not have a user account on the computer offering the share. --- Steve

I'm sorry, I didn't explain well. I have a machine
running NT 4.0 Server that is a part of the workgroup.
My 2000 allows any person locally at it to log on to
either (this computer) or to the workgroup.
If they choose to log on to the workgroup, any user
defined on the NT 4.0 Server can log on to the 2000
without being defined in it's Users and Passwords.

-----Original Message-----
I asume you mean network logon as accessing a share??

You
can not logon to a

machine locally at the console unless you have a user account to
authenticate against the local sam [unless autologon is enabled]. My guess
is that the guest account may be enabled on the machine offering shares in
which case any network user can access it. If it is enabled, disable via
lusrmgr.msc [enter in run box] and select users/guest account and then
disable it. --- Steve


I have a machine on my network (peer-to-peer workgroup)
running 2000 Professional which will allow any user from
that workgroup to log on to it, regardless of whether they
have an existing login defined in Users and

Passwords.
Is

there any way to change this?
I want only specified users to be able to log on to this
machine.


.

.

 

[Steven L Umbach]

OK. Then they have the option to logon to the domain or the local machine.
You can configure who can logon to a W2K computer via Local Security Policy
[secpol.msc]. Go to security settings/local policies/user righjts
assignments and configure logon locally to only have the users/groups that
you want to logon probably removing users and everyone and leaving
administrators and other specfic users or a group you create and add members
to. There is also a deny logon locally user right, but be careful with deny
permissions as administrator are also members of the users and everyone
group. --- Steve

I'm not concerned about the computer's shares. I'm
speaking about a person physically logging onto this
specific PC/console.
They are given a choice at the Log on to Windows
screen "Log on to [pull-down menu]"; our workgroup (which
is managed by our NT 4.0 Server) is allowed as a choice in
this pull-down menu. If they are recognized as a user
defined in the NT Server, this physical windows 2000 PC
will allow them to log on to it, even though they are not
defined as a user in the PC's User and Password settings.
Is there any way to stop this?

-----Original Message-----
I am still confused. There are two types of normal use logon. Interactive/console
where a user logs onto the local computer entering their logon name and password to
get access, or network where a user already logged onto a local computer tries to
access a network share on another computer. There is not a workgroup logon per se. A
user logged onto a local computer will need to have

credentials to access a share on

a network computer, either their logged on credentials or they will be prompted for
credentials to access the share if their user account that they are logged onto the
local computer does not exist on the target computer offering the share. However if
the computer offering the share has the guest account enabled and the share/ntfs
permissions include the everyone group then anyone from anywhere will get access even
if they do not have a user account on the computer offering the share. --- Steve

I'm sorry, I didn't explain well. I have a machine
running NT 4.0 Server that is a part of the workgroup.
My 2000 allows any person locally at it to log on to
either (this computer) or to the workgroup.
If they choose to log on to the workgroup, any user
defined on the NT 4.0 Server can log on to the 2000
without being defined in it's Users and Passwords.

-----Original Message-----
I asume you mean network logon as accessing a share?? You
can not logon to a
machine locally at the console unless you have a user
account to
authenticate against the local sam [unless autologon is
enabled]. My guess
is that the guest account may be enabled on the machine
offering shares in
which case any network user can access it. If it is
enabled, disable via
lusrmgr.msc [enter in run box] and select users/guest
account and then
disable it. --- Steve


message
I have a machine on my network (peer-to-peer workgroup)
running 2000 Professional which will allow any user from
that workgroup to log on to it, regardless of whether
they
have an existing login defined in Users and Passwords.
Is
there any way to change this?
I want only specified users to be able to log on to this
machine.


.

.

 

[Timber]

Yea!!!
Exactly what I was looking for.
Thank you.

-----Original Message-----
OK. Then they have the option to logon to the domain or the local machine.
You can configure who can logon to a W2K computer via Local Security Policy
[secpol.msc]. Go to security settings/local policies/user righjts
assignments and configure logon locally to only have the users/groups that
you want to logon probably removing users and everyone and leaving
administrators and other specfic users or a group you create and add members
to. There is also a deny logon locally user right, but be careful with deny
permissions as administrator are also members of the users and everyone
group. --- Steve

I'm not concerned about the computer's shares. I'm
speaking about a person physically logging onto this
specific PC/console.
They are given a choice at the Log on to Windows
screen "Log on to [pull-down menu]"; our workgroup (which
is managed by our NT 4.0 Server) is allowed as a choice in
this pull-down menu. If they are recognized as a user
defined in the NT Server, this physical windows 2000 PC
will allow them to log on to it, even though they are not
defined as a user in the PC's User and Password settings.
Is there any way to stop this?

-----Original Message-----
I am still confused. There are two types of normal use logon. Interactive/console
where a user logs onto the local computer entering

their
logon name and password to

get access, or network where a user already logged

onto a
local computer tries to

access a network share on another computer. There is

not
a workgroup logon per se. A

user logged onto a local computer will need to have

credentials to access a share on

a network computer, either their logged on credentials

or
they will be prompted for

credentials to access the share if their user account that they are logged onto the
local computer does not exist on the target computer offering the share. However if
the computer offering the share has the guest account enabled and the share/ntfs
permissions include the everyone group then anyone from anywhere will get access even
if they do not have a user account on the computer offering the share. --- Steve


I'm sorry, I didn't explain well. I have a machine
running NT 4.0 Server that is a part of the workgroup.
My 2000 allows any person locally at it to log on to
either (this computer) or to the workgroup.
If they choose to log on to the workgroup, any user
defined on the NT 4.0 Server can log on to the 2000
without being defined in it's Users and Passwords.

-----Original Message-----
I asume you mean network logon as accessing a

share??
You

can not logon to a
machine locally at the console unless you have a user
account to
authenticate against the local sam [unless autologon is
enabled]. My guess
is that the guest account may be enabled on the machine
offering shares in
which case any network user can access it. If it is
enabled, disable via
lusrmgr.msc [enter in run box] and select users/guest
account and then
disable it. --- Steve


message
I have a machine on my network (peer-to-peer workgroup)
running 2000 Professional which will allow any

user
from

that workgroup to log on to it, regardless of whether
they
have an existing login defined in Users and Passwords.
Is
there any way to change this?
I want only specified users to be able to log on

to
this

machine.


.



.

.