Windows 2000 restricting domain workstation logons

  • Thread starter Thread starter wyocowboy
  • Start date Start date
W

wyocowboy

A customer wants to limit who can logon to certain machines to a handful of
authorized users and prevent all other users in the company from logging onto
these 3 workstations. I know that I can go into every user's profile and
limit which machine(s) a given user can logon to, but I would rather not have
to edit all those profiles, unless there is no other way.

Unfortunately, there does not seem to be any provision for doing this
through Client Computers properties. Any ideas?
 
"wyocowboy" <wyocowboy@discussions.microsoft.com> wrote in message
news:6702828D-2FDB-451E-BA8F-1C6099226763@microsoft.com...
>A customer wants to limit who can logon to certain machines to a handful of
> authorized users and prevent all other users in the company from logging
> onto
> these 3 workstations. I know that I can go into every user's profile and
> limit which machine(s) a given user can logon to, but I would rather not
> have
> to edit all those profiles, unless there is no other way.
>
> Unfortunately, there does not seem to be any provision for doing this
> through Client Computers properties. Any ideas?

A brutal but highly effective method would be to modify your
domain logon script like so:

@echo off
find "xx%ComputerName%yy" \\YourServer\SomeShare\PCList.txt > nul
if %ErrorLevel%==0 (
find "xx%UserName%yy" \\YourServer\SomeShare\UserList.txt > nul
if %ErrorLevel% GTR 0 \\YourServer\Tools\shutdown.exe /r
)
{Remaining commands go here}

The first command checks if this is a restricted PC.
The second command checks if this is an authorised user.
The third command conditionally reboots the PC.

You need to do four things to make it happen:
- Modify the logon script.
- Compile a list of restricted PCs. Surround each name with "xx" and "yy".
- Compile a list of authorised users. Surround each name with "xx" and "yy".
- Download one of the many copies of shutdown.exe and leave it on your
server.
 
"wyocowboy" <wyocowboy@discussions.microsoft.com> wrote in message
news:6702828D-2FDB-451E-BA8F-1C6099226763@microsoft.com...
>A customer wants to limit who can logon to certain machines to a handful of
> authorized users and prevent all other users in the company from logging
> onto
> these 3 workstations. I know that I can go into every user's profile and
> limit which machine(s) a given user can logon to, but I would rather not
> have
> to edit all those profiles, unless there is no other way.
>
> Unfortunately, there does not seem to be any provision for doing this
> through Client Computers properties. Any ideas?

Are you in a domain?

If yes then you could

1) Create a domain group whose members are allowed to logon to these 3
workstations
2) On each of the 3 workstations open the Local Security Policy MMC snapin,
open the "Log on locally" entry under "Local Policies", "User Rights
Assignment", add the group created earlier and then deselect the "Users"
group, click OK to save changes and reboot workstations.

This will limit logons to these workstations to Administrators, Power Users,
Backup Operators and members of the group created earlier. You could
further restrict the groups allowed access but wouldn't recommend removing
Administrators.
 
"Tim Jackson" wrote:

> "wyocowboy" <wyocowboy@discussions.microsoft.com> wrote in message
> news:6702828D-2FDB-451E-BA8F-1C6099226763@microsoft.com...
> >A customer wants to limit who can logon to certain machines to a handful of
> > authorized users and prevent all other users in the company from logging
> > onto
> > these 3 workstations. I know that I can go into every user's profile and
> > limit which machine(s) a given user can logon to, but I would rather not
> > have
> > to edit all those profiles, unless there is no other way.
> >
> > Unfortunately, there does not seem to be any provision for doing this
> > through Client Computers properties. Any ideas?
>
> Are you in a domain?
>
> If yes then you could
>
> 1) Create a domain group whose members are allowed to logon to these 3
> workstations
> 2) On each of the 3 workstations open the Local Security Policy MMC snapin,
> open the "Log on locally" entry under "Local Policies", "User Rights
> Assignment", add the group created earlier and then deselect the "Users"
> group, click OK to save changes and reboot workstations.
>
> This will limit logons to these workstations to Administrators, Power Users,
> Backup Operators and members of the group created earlier. You could
> further restrict the groups allowed access but wouldn't recommend removing
> Administrators.

Yes, it is a domain, but what you suggested did not work. None of the domain
users have local accounts on these machines to start with, and when logging
onto a domain, the local policy settings are overridden by the domain policy
settings anyways. However, I try it anyways..

When I went to the "log on locally" portion of the local security snap-in, I
couldn't get through the process as described. At the time, I was logged on
as a domain admin. When I first tried to add the group, it offered me the
choice of the local machine or the 'domain.local' so I selected the domain
from the pull down. It then came back and said it could not find the
server/domain, even though I could browse the server at the time. I closed
out of it and then went back in and this time the only choice offered was the
local machine, and of course the group does not exist on the local machine.

Since the group did not exist on the local machine, it wouldn't let me add
it, so I created it locally and after creating my user locally (it insisted
on adding a user) I added it to the logon permit list and unchecked all
except administrator. At the end of all that, it still lets any domain user
logon to the domain from that machine.
>
>
>
 
"wyocowboy2" <wyocowboy2@discussions.microsoft.com> wrote in message
news:F4A50ED3-2088-4D06-85F8-BA1FDDBB0B51@microsoft.com...
>
>
> "Tim Jackson" wrote:
>
>> "wyocowboy" <wyocowboy@discussions.microsoft.com> wrote in message
>> news:6702828D-2FDB-451E-BA8F-1C6099226763@microsoft.com...
>> >A customer wants to limit who can logon to certain machines to a handful
>> >of
>> > authorized users and prevent all other users in the company from
>> > logging
>> > onto
>> > these 3 workstations. I know that I can go into every user's profile
>> > and
>> > limit which machine(s) a given user can logon to, but I would rather
>> > not
>> > have
>> > to edit all those profiles, unless there is no other way.
>> >
>> > Unfortunately, there does not seem to be any provision for doing this
>> > through Client Computers properties. Any ideas?
>>
>> Are you in a domain?
>>
>> If yes then you could
>>
>> 1) Create a domain group whose members are allowed to logon to these 3
>> workstations
>> 2) On each of the 3 workstations open the Local Security Policy MMC
>> snapin,
>> open the "Log on locally" entry under "Local Policies", "User Rights
>> Assignment", add the group created earlier and then deselect the "Users"
>> group, click OK to save changes and reboot workstations.
>>
>> This will limit logons to these workstations to Administrators, Power
>> Users,
>> Backup Operators and members of the group created earlier. You could
>> further restrict the groups allowed access but wouldn't recommend
>> removing
>> Administrators.
>
> Yes, it is a domain, but what you suggested did not work. None of the
> domain
> users have local accounts on these machines to start with, and when
> logging
> onto a domain, the local policy settings are overridden by the domain
> policy
> settings anyways. However, I try it anyways..
>
> When I went to the "log on locally" portion of the local security snap-in,
> I
> couldn't get through the process as described. At the time, I was logged
> on
> as a domain admin. When I first tried to add the group, it offered me the
> choice of the local machine or the 'domain.local' so I selected the domain
> from the pull down. It then came back and said it could not find the
> server/domain, even though I could browse the server at the time. I closed
> out of it and then went back in and this time the only choice offered was
> the
> local machine, and of course the group does not exist on the local
> machine.
>
> Since the group did not exist on the local machine, it wouldn't let me add
> it, so I created it locally and after creating my user locally (it
> insisted
> on adding a user) I added it to the logon permit list and unchecked all
> except administrator. At the end of all that, it still lets any domain
> user
> logon to the domain from that machine.
>>
>>
>>

Sounds like you are having problems talking to the domain if it says it
cannot find the server/domain. I would suggest checking that the
workstation is still a member of the domain and that your domain admin
really is an administrator account and is logging on to the domain okay.

This method does work, I have used it myself, recently.
 
Back
Top