Allow ONLY Domain Admin to login to XP

[Guest]

We have a few new XP Pro machines on our network, but no people to use them,
yet. What I'd like to do is set up the machines to only allow the domain
administrator to log into each XP machine. (If possible, even deny access to
the local administrator account.) i.e. Have each machine deny access to
Joe.Bob if he tries to login.

Then remove this 'block' when the pc is ready for a regular user.

Is this possible?

 

[Malke]

We have a few new XP Pro machines on our network, but no people to use
them,
yet. What I'd like to do is set up the machines to only allow the
domain
administrator to log into each XP machine. (If possible, even deny
access to
the local administrator account.) i.e. Have each machine deny access
to Joe.Bob if he tries to login.

Then remove this 'block' when the pc is ready for a regular user.

Is this possible?

AFAIK you can't remove the built-in local Administrator account, nor
would you want to. You don't have to create any secondary local
accounts.

Set strong passwords on your local and domain Administrator accounts
instead.

Malke

 

[Guest]

Our domain and local passwords are very strong, but this isn't really the
issue. The problem is that anyone with a domain account can sit down at one
of the new PC's and login. This is what I'm trying to avoid. Locking down
logins to ONLY the domain administrator on each new pc.

Anyone?

 

[Malke]

Our domain and local passwords are very strong, but this isn't really
the
issue. The problem is that anyone with a domain account can sit down
at one
of the new PC's and login. This is what I'm trying to avoid. Locking
down logins to ONLY the domain administrator on each new pc.

This is not correct. Anyone with a domain *administrator's* account
could log in, certainly. However, you don't make your users domain
administrators do you? I hope not. If you don't trust the people you've
hired to be domain administrators - presumably just an IT person - then
you have issues that can't be solved technically. Please understand
that anyone with physical access to any computer can get into it if
they have time, skill, and a simple tool.

Spend some time at the Microsoft Technet site looking at best security
practices. Here is just one very useful link:
http://www.microsoft.com/technet/security/topics/default.mspx

Malke

 

[Guest]

I don't believe you have a grasp of what I'm trying to achieve.

There is only one domain administrator account on our network. I'm looking
for a registry setting, or other tool that will deny anyone from logging in,
except administrators. That will prevent 99% of our company users from
logging in.

I'm not worried/concerned about company users trying to get in via other
means that using the XP login prompt. I want to set it so XP will only
recognize one user name to login, and deny all others.

As it is now, any domain user can log in. And they are not administrators,
or part of the administrator group.

 

[Steven L Umbach]

You can manage the user right for logon locally in Local Security Policy to
reflect only the users/groups that you want to be able to logon to the
computer. For instance I would specify administrators only which will
prevent all users but administrators from logging on locally. This will of
course allow local administrators the ability to logon also but I believe in
XP that is hard coded but you could then try adding machine
name\administrator to the user right for deny logon locally though it is not
something I would no myself. You can change those user rights when need
e. --- Steve

 

[Guest]

Well that will help me out for local users, but not domain users who sit down
and log in. And that's pretty much everyone at the company, all are domain
users.

 

[Steven L Umbach]

They would only be able to logon if they were also a local administrator of
the domain computer if the user right for logon locally specified only
administrators. Hopefully all your domain users are not local administrators
on every domain computer. By default members of the domain admins group are
also local administrators of domain computers so that would not exclude them
from logging onto the computer. --- Steve

 

[Guest]

Please forgive me if I sound rude or stern with this responce... But the
answers I have been getting are answers do not really apply to my problem.

I just want domain users to be prevented from logging into a certain XP Pro
machine. With the exception of the Domain administrator, or local
administrator account. Everyone else, 'Access Denied!'

Is there a way to do this? I looked in the Local Users & Groups, and there
isn't any function to deny access on a user level, or group level.

 

[Steven L Umbach]

Again the only way you can do that is by modifying the user rights for logon
locally and deny logon locally keeping in mind that the deny logon locally
user right overrides the allow logon locally user right. User rights are
managed via Local Security Policy under local policies/user rights. If you
can not change a user right via Local Security Policy then that user right
is being applied by a domain/OU Group Policy and would have to configured
via that GPO. By default users and other groups are included in the user
right to logon locally. If you remove all users/groups other than
administrators then only users/groups in the local administrators group on
that computer would be able to logon to it and everyone else would be denied
with a message that they do not have requires logon privilege for the
computer. In almost all enterprise networks that would be only members of
the domain admins group and the built in local administrator account which
means that all the other domain users would not be able to logon. Why would
that not work for you? --- Steve

 

[Shenan Stanley]

We have a few new XP Pro machines on our network, but no people to
use them, yet. What I'd like to do is set up the machines to only
allow the domain administrator to log into each XP machine. (If
possible, even deny access to the local administrator account.)
i.e. Have each machine deny access to Joe.Bob if he tries to login.

Then remove this 'block' when the pc is ready for a regular user.

Is this possible?

Deny Local Logon and Allow Local Logon group policies on the machine.
If you set these policies at a domain level - they will likely overwrite
what you do locally.
If you do nothing with the policies domain-wise - then you should be able to
set it this way.

You can deny/allow any local/domain user/group you desire.