vasek125 Posted August 4, 2011 Posted August 4, 2011 Hello, is there any way how to disable direct login to windows server? Quote
ICTCity Posted August 5, 2011 Posted August 5, 2011 What does "Direct login" mean? Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
vasek125 Posted August 9, 2011 Author Posted August 9, 2011 User can login to every station connected to domain but cannot connect (login) to windows server 2008 domain controller pc itself. Quote
ICTCity Posted August 9, 2011 Posted August 9, 2011 Sorry but I still don't understand... You said: "how to DISABLE login to Windows Server" then: "User login to every WS but not to DC" So you want to PERMIT user to login to DC or BLOCK user from login the the other stations? When you say "LOGIN", you want to permit / block login from local pc (physical access), remote desktop or what else? Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
vasek125 Posted August 11, 2011 Author Posted August 11, 2011 Windows server has domain controller role. Users are stored in Active Directory. PC client stations are joined to domain. I want to deny access to Windows server - user will physically not be able to login to server. SERVER -------domain------- | | CLIENT_PC1 CLIENT_PC2 SERVER is domain controller, clients are joined to domain. Active Directory user will be able to login on computer client_pc1, client_pc2 but the same user will not be able to login on server (neither direcly nor remotely). How to do this? Quote
ICTCity Posted August 12, 2011 Posted August 12, 2011 Ok, now everything is clear :) Basically Remote Desktop is permitted to Admin's only, so you have nothing to do. To block user from logging in do the following: (on the server you want to block access): start > run > gpedit.msc Computer > Windows > Security > Local > User Right Assignment Select the policy "ALLOW LOG ON LOCALLY". From there, you can remove what you don't need. You can do the same thing by ADDING the group / user you don't want, on the policy "DENY LOG ON LOCALLY". ATTENTION: do not change the policy "ACCESS THIS COMPUTER FROM THE NETWORK", this will prevent any connection to the server (domain, profiles and so on). question: why your users are able to login physically? When you install a server, only admins, server op, and other "service account" are enabled... Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
vasek125 Posted August 12, 2011 Author Posted August 12, 2011 question: why your users are able to login physically? When you install a server, only admins, server op, and other "service account" are enabled... Users don't have physicall access to server but it is cleaner and better to block everything I don't want or need. Quote
Recommended Posts