Restricting logins on a XP computer

[Guest]

I want to restrict logging in to our accounting computers to only those who
are in the Accounting department. These computers will be part of our
Windows 2003 domain. So far, on the local XP computers, I have tried to
button down so that only admin and the accounting group has access to the C
drive. But other accounts are still able to log into the computer. How can
I stop this?

Jim

 

[Bruce Chambers]

I want to restrict logging in to our accounting computers to only those who
are in the Accounting department. These computers will be part of our
Windows 2003 domain. So far, on the local XP computers, I have tried to
button down so that only admin and the accounting group has access to the C
drive. But other accounts are still able to log into the computer. How can
I stop this?

Jim

The Domain Administrator can specify who can log into which specific
workstation. This is a setting on the Domain server. Contact your IT
department for assistance.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

[Guest]

Bruce,

I am the IT department!! Now are you talking about doing it thru group
policies or can I do this somewhere in active directory? I know if I click
on a user in active directory, there is an option as to what computers they
can log on to but I could not find a similar option for the computer. Where
would I set this?

 

[Bruce Chambers]

Bruce,

I am the IT department!! Now are you talking about doing it thru group
policies or can I do this somewhere in active directory? I know if I click
on a user in active directory, there is an option as to what computers they
can log on to but I could not find a similar option for the computer. Where
would I set this?

Under user account properties, you would specify which computers the
users could log into.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

[Guest]

I think what you're after is "make it difficult for anyone outside the
Accounting group to get to an Explorer desktop or command prompt on any of
these accounting computers"?

While it's fun (?) to try to find all the permissions that would have to be
removed/restricted on a Windows PC, the more efficient way to manage this
kind of control is using Group Policy to restrict the logon-related
Privileges. Try this:
- Open a Group Policy object that only targets these Accounting PCs (or
create a new one)
-- Note: you can limit the scope of a Group Policy object using just the OU,
using a Security group to limit the "Apply Group Policy" permission on the
GPO, or using a WMI filter on the GPO. GPMC probably has more details on
this.
- Select Computer Configuration > Windows Settings > Security Settings >
Local Policies > User Rights Assignment
- Make sure you have a Security group defined in Active Directory that
*only* contains user accounts that should be able to logon to the accounting
PCs
- double-click the "Log on Locally" entry in User Rights Assignment and Add
the security group you have for those users. [You may want to also add a
group for the IT administrators or anyone else in IT-land that might need
logon rights to these PCs.]

This should have the intended effect.

If you'd like to really button things down against malicious people, you
could do things like:
- add an Active Directory group (containing the "malicious people") to the
user right "Deny logon locally"
- add the group of legitimate users to the "Access this computer from the
network" user right - but be careful - this will restrict who can access
shares that are made available from these PCs and many other "remote access"
capabilities
- add the "malicious users" group to the user right "Access this computer
from the network" (same caveat applies)
- add the group of legitimate users to the user right "Allow logon through
Terminal Services" to restrict Remote Desktop access as well - but watch out,
this could also wipe out the default access rights granted to the members of
the computers' local "Administrators" and "Remote Desktop Users" groups.
- add the "malicious users" group to "Deny logon through Terminal Services".

Hope this helps.