Restricting Logons with Windows 2000 Server

  • Thread starter Thread starter confused
  • Start date Start date
C

confused

I need to restrict users logons from our XP Pro workstations to our Windows
2000 Server to particular machines.

Ideally I would like to specify at the workstation level who is permitted to
log on to that workstation but I don't know of any way to do that.

I know that I can specify which machines a particular user is permitted to
log on to in the user control panel in
ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am not
sure if it would apply to a domain administrator and if it would have any
bearing on workgroup computers that are not members of the Domain?

We have a plain Windows 2000 Server / Windows XP Workstation configuration
with a Post of Sale operating in Workgroup mode running on the same network.
A member server that has a logon with Domain Administrator rights is used by
the Point of Sale system and I see this as a vulnerability because that user
can log on to any user workstation and do whatever they want.

Any suggestions would be greatly appreciated.

Thank you.
 
confused <confused@gmail.com> wrote:
> I need to restrict users logons from our XP Pro workstations to our
> Windows 2000 Server to particular machines.
>
> Ideally I would like to specify at the workstation level who is
> permitted to log on to that workstation but I don't know of any way
> to do that.
> I know that I can specify which machines a particular user is
> permitted to log on to in the user control panel in
> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am
> not sure if it would apply to a domain administrator and if it would
> have any bearing on workgroup computers that are not members of the
> Domain?
> We have a plain Windows 2000 Server / Windows XP Workstation
> configuration with a Post of Sale operating in Workgroup mode running
> on the same network. A member server that has a logon with Domain
> Administrator rights is used by the Point of Sale system and I see
> this as a vulnerability because that user can log on to any user
> workstation and do whatever they want.
> Any suggestions would be greatly appreciated.
>
> Thank you.

Hmmm. Why is your POS product using a domain admin account to run? This is
the first place I'd start locking things down. There's no conceivable reason
it needs that.

Also, I'm unclear on the configuration of your network - you have AD, but
you also mention a workgroup. You can do a lot of things with group policy,
but they won't affect non-domain-member computers. Can you provide more
detail as to your setup?
 
"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:%23OR0w8xuHHA.4476@TK2MSFTNGP03.phx.gbl...
> confused <confused@gmail.com> wrote:
>> I need to restrict users logons from our XP Pro workstations to our
>> Windows 2000 Server to particular machines.
>>
>> Ideally I would like to specify at the workstation level who is
>> permitted to log on to that workstation but I don't know of any way
>> to do that.
>> I know that I can specify which machines a particular user is
>> permitted to log on to in the user control panel in
>> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am
>> not sure if it would apply to a domain administrator and if it would
>> have any bearing on workgroup computers that are not members of the
>> Domain?
>> We have a plain Windows 2000 Server / Windows XP Workstation
>> configuration with a Post of Sale operating in Workgroup mode running
>> on the same network. A member server that has a logon with Domain
>> Administrator rights is used by the Point of Sale system and I see
>> this as a vulnerability because that user can log on to any user
>> workstation and do whatever they want.
>> Any suggestions would be greatly appreciated.
>>
>> Thank you.
>
> Hmmm. Why is your POS product using a domain admin account to run? This is
> the first place I'd start locking things down. There's no conceivable
> reason it needs that.
>
> Also, I'm unclear on the configuration of your network - you have AD, but
> you also mention a workgroup. You can do a lot of things with group
> policy, but they won't affect non-domain-member computers. Can you provide
> more detail as to your setup?

Thank you for your reply.

You want more detail... you got it... but quite frankly I think that an
answer to my questions don't warrant the detail and that it will probably
just bore people and overwhelm them with too much information...

The POS system is a workgroup running on the same network and has its own
Windows 2000 Server that is joined to the Domain. The POS Server uses a
domain administrator account so that is can interface with a Property
Management System that requires administrative rights to work. The Property
management system has to be part of the domain so that member Workstations
can use the system while also being connected to the regular Domain file
server.

But I don't think that knowing all that matters. I am just asking these two
things with regard to a Windows 2000 Server and Windows XP workstations:
1) Is there a way at the workstations level to restrict user logons to
particular username and if that restriction would apply to a domain
administrator.
2) If I specify the 'Log On To' workstation list in Active Directory does
that actually restrict logons to workstations for a user accounts that has
Domain Administrators?

Thank you.
 
hi,
1.check on GPO or on workstation if isn,t joined to domain :
computer configuration\windows settings\security settings\local
policies\user rights assignements\allow logon on locally or deny logon
locally.
2. yes
--
Dragos CAMARA
MCSA Windows 2003 server


"confused" wrote:

> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
> news:%23OR0w8xuHHA.4476@TK2MSFTNGP03.phx.gbl...
> > confused <confused@gmail.com> wrote:
> >> I need to restrict users logons from our XP Pro workstations to our
> >> Windows 2000 Server to particular machines.
> >>
> >> Ideally I would like to specify at the workstation level who is
> >> permitted to log on to that workstation but I don't know of any way
> >> to do that.
> >> I know that I can specify which machines a particular user is
> >> permitted to log on to in the user control panel in
> >> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am
> >> not sure if it would apply to a domain administrator and if it would
> >> have any bearing on workgroup computers that are not members of the
> >> Domain?
> >> We have a plain Windows 2000 Server / Windows XP Workstation
> >> configuration with a Post of Sale operating in Workgroup mode running
> >> on the same network. A member server that has a logon with Domain
> >> Administrator rights is used by the Point of Sale system and I see
> >> this as a vulnerability because that user can log on to any user
> >> workstation and do whatever they want.
> >> Any suggestions would be greatly appreciated.
> >>
> >> Thank you.
> >
> > Hmmm. Why is your POS product using a domain admin account to run? This is
> > the first place I'd start locking things down. There's no conceivable
> > reason it needs that.
> >
> > Also, I'm unclear on the configuration of your network - you have AD, but
> > you also mention a workgroup. You can do a lot of things with group
> > policy, but they won't affect non-domain-member computers. Can you provide
> > more detail as to your setup?
>
> Thank you for your reply.
>
> You want more detail... you got it... but quite frankly I think that an
> answer to my questions don't warrant the detail and that it will probably
> just bore people and overwhelm them with too much information...
>
> The POS system is a workgroup running on the same network and has its own
> Windows 2000 Server that is joined to the Domain. The POS Server uses a
> domain administrator account so that is can interface with a Property
> Management System that requires administrative rights to work. The Property
> management system has to be part of the domain so that member Workstations
> can use the system while also being connected to the regular Domain file
> server.
>
> But I don't think that knowing all that matters. I am just asking these two
> things with regard to a Windows 2000 Server and Windows XP workstations:
> 1) Is there a way at the workstations level to restrict user logons to
> particular username and if that restriction would apply to a domain
> administrator.
> 2) If I specify the 'Log On To' workstation list in Active Directory does
> that actually restrict logons to workstations for a user accounts that has
> Domain Administrators?
>
> Thank you.
>
>
>
 
Dragos,
Thank you for your reply. Regarding 2, the 'Log On To' workstation list in
Active Directory does restrict logons to workstations for a user accounts
that has Domain Administrator rights... This won't apply to the machines
that are not members of the domain, will it?
I know trial and error will tell me for certain, but I don't really want to
just guess at this and then be unpleasantly surprised.
Thank you!

"Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
news:2C8D1699-6A5C-4B1D-B541-F48D997A4958@microsoft.com...
> hi,
> 1.check on GPO or on workstation if isn,t joined to domain :
> computer configuration\windows settings\security settings\local
> policies\user rights assignements\allow logon on locally or deny logon
> locally.
> 2. yes
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "confused" wrote:
>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>> message
>> news:%23OR0w8xuHHA.4476@TK2MSFTNGP03.phx.gbl...
>> > confused <confused@gmail.com> wrote:
>> >> I need to restrict users logons from our XP Pro workstations to our
>> >> Windows 2000 Server to particular machines.
>> >>
>> >> Ideally I would like to specify at the workstation level who is
>> >> permitted to log on to that workstation but I don't know of any way
>> >> to do that.
>> >> I know that I can specify which machines a particular user is
>> >> permitted to log on to in the user control panel in
>> >> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am
>> >> not sure if it would apply to a domain administrator and if it would
>> >> have any bearing on workgroup computers that are not members of the
>> >> Domain?
>> >> We have a plain Windows 2000 Server / Windows XP Workstation
>> >> configuration with a Post of Sale operating in Workgroup mode running
>> >> on the same network. A member server that has a logon with Domain
>> >> Administrator rights is used by the Point of Sale system and I see
>> >> this as a vulnerability because that user can log on to any user
>> >> workstation and do whatever they want.
>> >> Any suggestions would be greatly appreciated.
>> >>
>> >> Thank you.
>> >
>> > Hmmm. Why is your POS product using a domain admin account to run? This
>> > is
>> > the first place I'd start locking things down. There's no conceivable
>> > reason it needs that.
>> >
>> > Also, I'm unclear on the configuration of your network - you have AD,
>> > but
>> > you also mention a workgroup. You can do a lot of things with group
>> > policy, but they won't affect non-domain-member computers. Can you
>> > provide
>> > more detail as to your setup?
>>
>> Thank you for your reply.
>>
>> You want more detail... you got it... but quite frankly I think that an
>> answer to my questions don't warrant the detail and that it will probably
>> just bore people and overwhelm them with too much information...
>>
>> The POS system is a workgroup running on the same network and has its own
>> Windows 2000 Server that is joined to the Domain. The POS Server uses a
>> domain administrator account so that is can interface with a Property
>> Management System that requires administrative rights to work. The
>> Property
>> management system has to be part of the domain so that member
>> Workstations
>> can use the system while also being connected to the regular Domain file
>> server.
>>
>> But I don't think that knowing all that matters. I am just asking these
>> two
>> things with regard to a Windows 2000 Server and Windows XP workstations:
>> 1) Is there a way at the workstations level to restrict user logons to
>> particular username and if that restriction would apply to a domain
>> administrator.
>> 2) If I specify the 'Log On To' workstation list in Active Directory does
>> that actually restrict logons to workstations for a user accounts that
>> has
>> Domain Administrators?
>>
>> Thank you.
>>
>>
>>
 
hi,
if the workstation isn't joined to domain you really cant logon with any
domain user on it :), if you reffer to access from network is another thing.
--
Dragos CAMARA
MCSA Windows 2003 server


"confused" wrote:

> Dragos,
> Thank you for your reply. Regarding 2, the 'Log On To' workstation list in
> Active Directory does restrict logons to workstations for a user accounts
> that has Domain Administrator rights... This won't apply to the machines
> that are not members of the domain, will it?
> I know trial and error will tell me for certain, but I don't really want to
> just guess at this and then be unpleasantly surprised.
> Thank you!
>
> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message
> news:2C8D1699-6A5C-4B1D-B541-F48D997A4958@microsoft.com...
> > hi,
> > 1.check on GPO or on workstation if isn,t joined to domain :
> > computer configuration\windows settings\security settings\local
> > policies\user rights assignements\allow logon on locally or deny logon
> > locally.
> > 2. yes
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "confused" wrote:
> >
> >> "Lanwench [MVP - Exchange]"
> >> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> >> message
> >> news:%23OR0w8xuHHA.4476@TK2MSFTNGP03.phx.gbl...
> >> > confused <confused@gmail.com> wrote:
> >> >> I need to restrict users logons from our XP Pro workstations to our
> >> >> Windows 2000 Server to particular machines.
> >> >>
> >> >> Ideally I would like to specify at the workstation level who is
> >> >> permitted to log on to that workstation but I don't know of any way
> >> >> to do that.
> >> >> I know that I can specify which machines a particular user is
> >> >> permitted to log on to in the user control panel in
> >> >> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am
> >> >> not sure if it would apply to a domain administrator and if it would
> >> >> have any bearing on workgroup computers that are not members of the
> >> >> Domain?
> >> >> We have a plain Windows 2000 Server / Windows XP Workstation
> >> >> configuration with a Post of Sale operating in Workgroup mode running
> >> >> on the same network. A member server that has a logon with Domain
> >> >> Administrator rights is used by the Point of Sale system and I see
> >> >> this as a vulnerability because that user can log on to any user
> >> >> workstation and do whatever they want.
> >> >> Any suggestions would be greatly appreciated.
> >> >>
> >> >> Thank you.
> >> >
> >> > Hmmm. Why is your POS product using a domain admin account to run? This
> >> > is
> >> > the first place I'd start locking things down. There's no conceivable
> >> > reason it needs that.
> >> >
> >> > Also, I'm unclear on the configuration of your network - you have AD,
> >> > but
> >> > you also mention a workgroup. You can do a lot of things with group
> >> > policy, but they won't affect non-domain-member computers. Can you
> >> > provide
> >> > more detail as to your setup?
> >>
> >> Thank you for your reply.
> >>
> >> You want more detail... you got it... but quite frankly I think that an
> >> answer to my questions don't warrant the detail and that it will probably
> >> just bore people and overwhelm them with too much information...
> >>
> >> The POS system is a workgroup running on the same network and has its own
> >> Windows 2000 Server that is joined to the Domain. The POS Server uses a
> >> domain administrator account so that is can interface with a Property
> >> Management System that requires administrative rights to work. The
> >> Property
> >> management system has to be part of the domain so that member
> >> Workstations
> >> can use the system while also being connected to the regular Domain file
> >> server.
> >>
> >> But I don't think that knowing all that matters. I am just asking these
> >> two
> >> things with regard to a Windows 2000 Server and Windows XP workstations:
> >> 1) Is there a way at the workstations level to restrict user logons to
> >> particular username and if that restriction would apply to a domain
> >> administrator.
> >> 2) If I specify the 'Log On To' workstation list in Active Directory does
> >> that actually restrict logons to workstations for a user accounts that
> >> has
> >> Domain Administrators?
> >>
> >> Thank you.
> >>
> >>
> >>
>
>
>
 

Similar threads

P
Secure Windows Server 2012/R2 workloads with options from Azure
Replies
0
Views
22
Patrick Widjaja
P
I
Gain enhanced security and performance with Windows Server 2025—now in preview
Replies
0
Views
58
Ian LeGrow
I
J
Lesson Learned #495: Monitoring DNS Resolution with PowerShell of Azure SQL Server
Replies
0
Views
22
Jose_Manuel_Jurado
J
A
Microsoft Security Exposure Management Graph: unveiling the power
Replies
0
Views
23
andreykarpovsky
A
AWS
Get the most out of Windows Server with these 5 best practices
Replies
1
Views
313
Tony D
Tony D
Back
Top