Restricting new profiles

[Guest]

We have a problem with people logging on to computers they aren't supposed to. We solved this problem in Win2000 by locking down the permissions of the default user profile so that anyone that doesn't have a profile on the system gets a message that they can't log on

Now we are upgrading these systems to XP Pro. I tried locking down the default profile the same way, but now when a new user logs on, they are able to get in. The interesting thing is that the default profile has been modified (wallpaper, icons, etc). When these new users log on after I lock down the default user profile, they actually get an original default XP profile that doesn't have all the modifications

Is there any way to restrict XP pro in a domain environment so that a user can't log on if they don't have a profile on the system already

thank
Chris

 

[Doug Knox MS-MVP]

You can set this in GPEDIT, I believe. Start, Run and enter GPEDIT.MSC Go to:

Computer Configuration, Administrative Templates, System, User Profiles. Enable the policy for Only allow local user profiles.

 

[Guest]

Unfortunately, all that does is stop roaming profiles from being used. A local profile is still created for new users. I need to lock the computer down so that only certain users can log on to a system.

in Him
Chris

 

[Doug Knox MS-MVP]

In GPEDIT, goto Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment. You can use the Log on Locally policy to specify Users/User Groups that can log on locally.