Deny local logon but allow share connection

D

David Trimboli

I've got a Windows XP Professional (SP2) domain workstation, and have
sole control of the administrator accounts on it. In performing certain
domain administrative functions I like to share out a hard drive for
others on the domain to write to.

However, I work with a bunch of people who like to screw up computers
that they don't own, and I want to prevent them from logging on. When I
set the following policy:

Computer Configuration\Windows Settings\Security Settings\
Local Policies\User Rights Assignment\Log on locally

to allow only my accounts to log into the computer, it also prevents
access to the network share by everyone else.

Is there a way to allow accounts to connect to a share on the computer,
without actually being able to log into the computer when they sit in
front of it, short of leaving it logged in and locked all the time?

David
Stardate 5189.9
 
D

David Trimboli

But to use "deny logon locally," I'd need to create an explicit list of
users to deny. There is no way to deny "everyone except me," and I don't
want to put in a thousand different account names.

I also can't set Everyone in "deny logon locally," and then set my
accounts in "log on locally," because the deny setting overrules the
allow setting.

David
Stardate 5190.6
 
M

Matt Gibson

It depends on what's easier to do, type in all the users that ARE allowed to
login under "login locally", or just put the ones that can't into "deny
local login"

Matt Gibson - GSEC
 
D

David Trimboli

Yes, but as per my original question, how can I permit connections to
shares without allowing logging into the desktop?

David
Stardate 5192.6
 
M

Matt Gibson

Deny login locally, or Login Locally.

You'll have to either do one or the other.

Matt Gibson - GSEC
 
M

Matt Gibson

Just a thought...

Why not make a new group, and add everyone to that...then add that group to
the deny or allow, rather than all the users.

Matt Gibson - GSEC
 
D

David Trimboli

In other words, the answer is, no, you have to allow people to log into
the desktop if you want them to be able to log into a share?

David
Stardate 5193.2
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top