Log on limited to administrator

[SteveC]

When we had Windows98, we used a program called Sentry to keep students and
unauthorized people from accessing computers and hard drives. When we moved
to Win2000 and XP, we didn't need Sentry to keep students off the computers.
However, we find that any employee with a username and password can log on
to our teachers' machines. I thought locking the PC would limit this, but
they have learned to simply unplug the machine and reboot, then they can log
on. This is worse than ever because it is not good for the machine.

How can we make it that only Administrators can log on (or the primary user
with administrative rights over their own pcs)? Thanks.

 

[Roger Abell]

For machines that are joined to a domain, in order to control
who may log into the machine you need to either
1. take control over the user right to Log on locally
This normally contains the Users group
So, you may remove Users and replace it with such
as the accounts that should be able to log in locally
or
2. take control over the membership in the Users group
This normally contains Domain Users, Authenticated
Users, and Interactive. All of these would have to be
removed, and then replace with every account defined
on the machine itself (including Guest if it is enabled
and used for local login) and whatever domain accounts
should be allowed to use the machine.

 

[Pegasus \(MVP\)]

When we had Windows98, we used a program called Sentry to keep students and
unauthorized people from accessing computers and hard drives. When we moved
to Win2000 and XP, we didn't need Sentry to keep students off the computers.
However, we find that any employee with a username and password can log on
to our teachers' machines. I thought locking the PC would limit this, but
they have learned to simply unplug the machine and reboot, then they can log
on. This is worse than ever because it is not good for the machine.

How can we make it that only Administrators can log on (or the primary user
with administrative rights over their own pcs)? Thanks.

You did not say if you use a Workgroup or a Domain model.

The simplest way is to remove all student accounts. This will
keep them out.

Alternatively, you could run the Policy Editor gpedit.msc and
use it to deny local login rights to specific users. Follow this
path:
Local Computer Policy / Computer Configuration / Windows
Settings / Security Settings / Local Policy / User Rights /
Deny logon locally.

 

[Steven L Umbach]

The simplest way would be to modify the appropriate security policy -
Domain/OU/Local to include only the administrators group for security
settings/local policies/user rights assignments allow logon locally. The
deny logon locally overides anyone with allow access and you need to be VERY
careful with deny settings as the administrator is also a member of the
everyone and users group. You may also want to do the same with the allow
network access right on those workstations if they are on a network and
other regular users have no business trying to access them. I would also
examine the membership of the administrators group to make sure it is what
you expect and enable auditing of logon events on those machines so you can
view the security log in Event Viewer to see who has accessed those
machines - see link below for details. Also keep in mind that it is trivial
for someone who has physical access to a computer to reset it's
administrator password if they can boot from a floppy/cdrom/etc and the cmos
settings are not protected by a password with a locked case. I also suggest
that you implement complex passwords and have an account lockout policy with
a threshold of no less than ten attempts and a reset period of ten minutes
or so to disuade password attacks. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958

 

[SteveC]

Thanks everyone, but I am confused. We are the blind here. I tried this on
my own machine but as you say I need to add to "deny logon" to Power Users
and Users to the list and it wouldn't seem to recognized that and one of you
warned me. I tried to delete everything was allow logon but my user name
and teh Administrators user names, but once I logged on and off, they users
and power users had returned so it must be superseded by group policies on
the server.

I went to the server and looked there but couldn't find what I wanted on
Win2000 Server. I did go to the Server Manager on the WinNT server but it
only let me specify what computers a user could log onto. This works ok for
the one person I wanted to contain access to one computer but I would like
to keep everyone off some computers. How can I do that? Thanks.

 

[Steven Umbach]

I should have mentioned that these policies may not happen right away on a
computer and running secedit /refreshpolicy machine_policy enforce on W2K or
gpudate on XP or rebooting may be needed. However there may be a domain or
Organizational Unit Group Policy overriding local policy which would show if the
"effective" setting was different than the local setting in W2K or the icon for
the setting at the beggining of the line looked different than the rest of them
in XP.

Assuming this is a Windows 2000 domain, you would need to configure this policy
on one of the W2K domain controllers. I would suggest that first you use Active
Directory Users and Computers to create a new OU [Organizational Unit] for the
teachers computers. Create a new Group Policy for that OU and configure the user
right assignment for logon locally to be just administrators or if you have the
students in their own security group, add that group to deny logon locally. Then
move the teacher computers into that OU. That OU will still inherit all computer
configuration from the domain, except that any settings configured for the Group
Policy in that OU will override domain defined settings except account policy
for domain users. Run secedit /refreshpolicy machine_policy enforce on the
domain controller and then reboot one of the teachers computers to test the
results. See the links below for more information on Group Policy. --- Steve

http://www.microsoft.com/technet/tr...prodtechnol/windows2000serv/howto/grpolwt.asp

http://www.microsoft.com/technet/tr...dows2000serv/reskit/distsys/part4/dsgch22.asp

 

[Roger Abell]

You need to post back, and tell us if you have a
domain and if so what version of Window it is.

 

[SteveC]

It is Windows2000 Server with a domain. The users are mostly Win2000 and
XP/Pro. Thanks.