How To Allow Only Designated User to logon to One workstation

P

Phoenix

I would like to set up a windows workstation to allow Only
the Designated Domain Users to be able to logon to one
workstation. I hope I say this correctly: This
workstation will have a profile that meets all of their
software needs so I don't have to create the profile their
individually.

Please can you tell me how to do this or maybe direct me
where on can find quick and easy instructions on how to do
this is appreciated.

Thanks again!
 
U

Ulf B. Simon-Weidner

I would like to set up a windows workstation to allow Only
the Designated Domain Users to be able to logon to one
workstation. I hope I say this correctly: This
workstation will have a profile that meets all of their
software needs so I don't have to create the profile their
individually.

Please can you tell me how to do this or maybe direct me
where on can find quick and easy instructions on how to do
this is appreciated.

Thanks again!
Click to expand...
Hi Phoenix,

I don't exactly understand what you mean, but if you want to allow only a few
users to log onto a workstation you can create a group which contains those
users, then go into the group policy for that computer (or OU - depends on what
scope you want for the policy) and put the Group into the GPO computer
conviguration -> windos settings -> security settings -> local policies -> user
rights -> allow log on locally

You can remove the groups you don't want/need to logon to this machine.

Please see the following KB prior to prevent issues (scroll down to the "Allow
log on locally" paragraph):
Client, Service, and Program Incompatibilities That May Occur When You Modify
Security Settings and User Rights Assignments
http://support.microsoft.com/?id=823659


Gruesse - Sincerely,

Ulf B. Simon-Weidner
 
P

Phoenix

Ulf,

Thanks for your quick response and good instructions. It
will probably take some time to read and digest KB823659.
I viewed the "Access this computer from the Network"
setting and it has some strange entries. Therefore, I
need to divert from my original question to you in order
to understand this setting first. It has the following
User assigned:

1. An acount titled S-1-5-1...

There are 2 of these in there and I don't know why or
how????? It seems like I can remove these but can you
clarity what these are.

2. Admistratiors, Authenticated User, Everyone

Which you say could cause incompatibility problem stated
in KB823659. Therefore I will not remove these at this
time.

3. IUSR_(myservername) and IWAN_(myservername)

Do theses need to stay? If I remove them will they cause
Incompatibility problems?

MY ORIGINAL QUESTION:::
I believe you have answered. However, I would like to
explain again what I'm trying to do. I have one
workstation (computer name: maintenance). 5 guys will be
using it for e-mail, 2 will use it for MP2 database
entries, Others will use it for Network access. I want to
create a common image on this workstation that will
satisfies everyone's computer needs. I know I can create
a general user account but I don't want anyone else to
logon to this machine with their individual user account.
Because this will create numerous profiles and aggrivation
for me. That's what prompted me to ask you if I can
restrict others from logging onto this machine and only
assign those user who do need to use it.

I thought if I created a New Computer "maintenance" in AD
to associate with the local computername "maintenance" and
remove the default domain User as primary group and add my
GRP_Maint as the primary group. This group GRP_Maint I
have added just those user accounts that I want to access
this machine. I was just taking stabs in the dark. Is
this another possibly way to do what I'm looking to do?

Again, your help is greatly appreciated.

-----Original Message-----
Click to expand...
 
U

Ulf B. Simon-Weidner

Hi Phoenix,

sorry for getting back to you quite late, but I've been very busy in the last
two days.
However, I'll answer your questions inline for your convenience:

I
need to divert from my original question to you in order
to understand this setting first. It has the following
User assigned:

1. An acount titled S-1-5-1...

There are 2 of these in there and I don't know why or
how????? It seems like I can remove these but can you
clarity what these are.
Click to expand...
Those are the security identifiers (SID) of user accounts. The security
describor of an object holds access control lists (DACL and SACL) which consist
of access control entrys (ACE). In the ACEs the SID of the account is stored.
When a user tries to access a resource the ACEs of the resource are verified
against the SIDs of the user (his SID, SID-History and Group SIDs).
If you list the security of a resource and the System is not able to resolve
the SID to the User-/Groupname it displays the SID. This is possible when
either no domaincontroller is online/available to resolve the SID, or if a
Object has been deleted (unfortunately the System is not able to remove all
ACEs of all resources when a user or group is deleted).

So you can remove those S-1-5-... settings if you are sure that they are not of
a different domain of yours which is for some reason not online right now.

For more infos on SIDs see (URL may wrap):
Security Identifiers (Platform SDK: Security)
http://msdn.microsoft.com/library/en-
us/security/security/security_identifiers.asp
2. Admistratiors, Authenticated User, Everyone

Which you say could cause incompatibility problem stated
in KB823659. Therefore I will not remove these at this
time.
Click to expand...
To prevent access control you'll have to remove everyone and authenticated
users.
3. IUSR_(myservername) and IWAN_(myservername)

Do theses need to stay? If I remove them will they cause
Incompatibility problems?
Click to expand...
Do you have a IIS installed on the system? Then you'll need them. If you don't
need the IIS I'd rather deinstall it.
MY ORIGINAL QUESTION:::
I believe you have answered. However, I would like to
explain again what I'm trying to do. I have one
workstation (computer name: maintenance). 5 guys will be
using it for e-mail, 2 will use it for MP2 database
entries, Others will use it for Network access. I want to
create a common image on this workstation that will
satisfies everyone's computer needs. I know I can create
a general user account but I don't want anyone else to
logon to this machine with their individual user account.
Because this will create numerous profiles and aggrivation
for me. That's what prompted me to ask you if I can
restrict others from logging onto this machine and only
assign those user who do need to use it.

I thought if I created a New Computer "maintenance" in AD
to associate with the local computername "maintenance" and
remove the default domain User as primary group and add my
GRP_Maint as the primary group. This group GRP_Maint I
have added just those user accounts that I want to access
this machine. I was just taking stabs in the dark. Is
this another possibly way to do what I'm looking to do?

Again, your help is greatly appreciated.
Click to expand...
You changed the permissions directly on the computer object in AD? This is not
the way to go and will AFAIK not provide you with the result you are looking
for.
I'd either create a OU in AD, and assign a Group Policy to that OU which will
change the security on the computers. This will be the way to go if you need to
set that group on more than one computer.
Or you can set this in the lokal group policy. Just start gpedit.msc, then go
to Computer Configuration -> Windows Settings -> Security Settings -> Local
Policies -> User Rights Assingment and adjust the groups in here.

Afterwards you'll either have to wait, or type "gpupdate /force" to update the
policy immediatelly.

Gruesse - Sincerely,

Ulf B. Simon-Weidner
 
G

Guest

Hello Ulf,

People who know what they are doing are always BUSY!!!
Hope you find a break.

Thank you for your professional and technical advice. You
R the Best! Your answers not only resolved my issues but
also made me understand better on what's happening.

Thanks,
Phoenix
-----Original Message-----
Hi Phoenix,

sorry for getting back to you quite late, but I've been very busy in the last
two days.
However, I'll answer your questions inline for your convenience:
Those are the security identifiers (SID) of user accounts. The security
describor of an object holds access control lists (DACL and SACL) which consist
of access control entrys (ACE). In the ACEs the SID of the account is stored.
When a user tries to access a resource the ACEs of the resource are verified
against the SIDs of the user (his SID, SID-History and Group SIDs).
If you list the security of a resource and the System is not able to resolve
the SID to the User-/Groupname it displays the SID. This is possible when
either no domaincontroller is online/available to resolve the SID, or if a
Object has been deleted (unfortunately the System is not able to remove all
ACEs of all resources when a user or group is deleted).

So you can remove those S-1-5-... settings if you are sure that they are not of
a different domain of yours which is for some reason not online right now.

For more infos on SIDs see (URL may wrap):
Security Identifiers (Platform SDK: Security)
http://msdn.microsoft.com/library/en-
us/security/security/security_identifiers.asp

To prevent access control you'll have to remove everyone and authenticated
users.

Do you have a IIS installed on the system? Then you'll need them. If you don't
need the IIS I'd rather deinstall it.

You changed the permissions directly on the computer object in AD? This is not
the way to go and will AFAIK not provide you with the result you are looking
for.
I'd either create a OU in AD, and assign a Group Policy to that OU which will
change the security on the computers. This will be the way to go if you need to
set that group on more than one computer.
Or you can set this in the lokal group policy. Just start gpedit.msc, then go
to Computer Configuration -> Windows Settings -> Security Settings -> Local
Policies -> User Rights Assingment and adjust the groups in here.

Afterwards you'll either have to wait, or
Click to expand...
type "gpupdate /force" to update the
Click to expand...
 
U

Ulf B. Simon-Weidner

Hello Ulf,

People who know what they are doing are always BUSY!!!
Hope you find a break.

Thank you for your professional and technical advice. You
R the Best! Your answers not only resolved my issues but
also made me understand better on what's happening.

Thanks,
Phoenix
Click to expand...
blush - thanks :)

Gruesse - Sincerely,

Ulf B. Simon-Weidner
 
P

Phoenix

Ulf,

Sorry for the blush :)

Anyway, I still need you help. I think I understand what
you mean on what I need to do to set up this computer in
AD in order to allow only certain User Accounts to log on
to it. Please let me know if I'm taking the correct steps
below:

I created an OU in ADUC titled "Engineering". Under the
Engineering OU I created a OU titled Engineering PC. I
opened the properties page and selected the Group Policy
Tab. I created a New Policy and edited the Policy. I
went to the lokal group policy and modified the "Access
this computer through the Network". I only added the "Eng
Group" that includes the people I want to be able to logon
to this computer. Is this the way to go????
-----Original Message-----
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Allowing a domain user account (specify) to add workstation to Windows 2000 domain (SP4) 9
Workstation Logon 1
How to allow grant,,permission an specific assigned user/group to add workstation to the domain? 3
Can User Profile keep in local workstation? 3
delegate permissions to logon dc-servers 1
deleting workstations on win2k server 2
Crashed Controller, Recreated, Logon Problems 3
Logon restrictions 3

Top