I need to restrict users logons from our XP Pro workstations to our Windows

2000 Server to particular machines.

 

Ideally I would like to specify at the workstation level who is permitted to

log on to that workstation but I don't know of any way to do that.

 

I know that I can specify which machines a particular user is permitted to

log on to in the user control panel in

ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am not

sure if it would apply to a domain administrator and if it would have any

bearing on workgroup computers that are not members of the Domain?

 

We have a plain Windows 2000 Server / Windows XP Workstation configuration

with a Post of Sale operating in Workgroup mode running on the same network.

A member server that has a logon with Domain Administrator rights is used by

the Point of Sale system and I see this as a vulnerability because that user

can log on to any user workstation and do whatever they want.

 

Any suggestions would be greatly appreciated.

 

Thank you.

confused <confused@gmail.com> wrote:

> I need to restrict users logons from our XP Pro workstations to our

> Windows 2000 Server to particular machines.

>

> Ideally I would like to specify at the workstation level who is

> permitted to log on to that workstation but I don't know of any way

> to do that.

> I know that I can specify which machines a particular user is

> permitted to log on to in the user control panel in

> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am

> not sure if it would apply to a domain administrator and if it would

> have any bearing on workgroup computers that are not members of the

> Domain?

> We have a plain Windows 2000 Server / Windows XP Workstation

> configuration with a Post of Sale operating in Workgroup mode running

> on the same network. A member server that has a logon with Domain

> Administrator rights is used by the Point of Sale system and I see

> this as a vulnerability because that user can log on to any user

> workstation and do whatever they want.

> Any suggestions would be greatly appreciated.

>

> Thank you.

 

Hmmm. Why is your POS product using a domain admin account to run? This is

the first place I'd start locking things down. There's no conceivable reason

it needs that.

 

Also, I'm unclear on the configuration of your network - you have AD, but

you also mention a workgroup. You can do a lot of things with group policy,

but they won't affect non-domain-member computers. Can you provide more

detail as to your setup?

"Lanwench [MVP - Exchange]"

<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message

news:%23OR0w8xuHHA.4476@TK2MSFTNGP03.phx.gbl...

> confused <confused@gmail.com> wrote:

>> I need to restrict users logons from our XP Pro workstations to our

>> Windows 2000 Server to particular machines.

>>

>> Ideally I would like to specify at the workstation level who is

>> permitted to log on to that workstation but I don't know of any way

>> to do that.

>> I know that I can specify which machines a particular user is

>> permitted to log on to in the user control panel in

>> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am

>> not sure if it would apply to a domain administrator and if it would

>> have any bearing on workgroup computers that are not members of the

>> Domain?

>> We have a plain Windows 2000 Server / Windows XP Workstation

>> configuration with a Post of Sale operating in Workgroup mode running

>> on the same network. A member server that has a logon with Domain

>> Administrator rights is used by the Point of Sale system and I see

>> this as a vulnerability because that user can log on to any user

>> workstation and do whatever they want.

>> Any suggestions would be greatly appreciated.

>>

>> Thank you.

>

> Hmmm. Why is your POS product using a domain admin account to run? This is

> the first place I'd start locking things down. There's no conceivable

> reason it needs that.

>

> Also, I'm unclear on the configuration of your network - you have AD, but

> you also mention a workgroup. You can do a lot of things with group

> policy, but they won't affect non-domain-member computers. Can you provide

> more detail as to your setup?

 

Thank you for your reply.

 

You want more detail... you got it... but quite frankly I think that an

answer to my questions don't warrant the detail and that it will probably

just bore people and overwhelm them with too much information...

 

The POS system is a workgroup running on the same network and has its own

Windows 2000 Server that is joined to the Domain. The POS Server uses a

domain administrator account so that is can interface with a Property

Management System that requires administrative rights to work. The Property

management system has to be part of the domain so that member Workstations

can use the system while also being connected to the regular Domain file

server.

 

But I don't think that knowing all that matters. I am just asking these two

things with regard to a Windows 2000 Server and Windows XP workstations:

1) Is there a way at the workstations level to restrict user logons to

particular username and if that restriction would apply to a domain

administrator.

2) If I specify the 'Log On To' workstation list in Active Directory does

that actually restrict logons to workstations for a user accounts that has

Domain Administrators?

 

Thank you.

hi,

1.check on GPO or on workstation if isn,t joined to domain :

computer configuration\windows settings\security settings\local

policies\user rights assignements\allow logon on locally or deny logon

locally.

2. yes

--

Dragos CAMARA

MCSA Windows 2003 server

 

 

"confused" wrote:

> "Lanwench [MVP - Exchange]"

> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message

> news:%23OR0w8xuHHA.4476@TK2MSFTNGP03.phx.gbl...

> > confused <confused@gmail.com> wrote:

> >> I need to restrict users logons from our XP Pro workstations to our

> >> Windows 2000 Server to particular machines.

> >>

> >> Ideally I would like to specify at the workstation level who is

> >> permitted to log on to that workstation but I don't know of any way

> >> to do that.

> >> I know that I can specify which machines a particular user is

> >> permitted to log on to in the user control panel in

> >> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am

> >> not sure if it would apply to a domain administrator and if it would

> >> have any bearing on workgroup computers that are not members of the

> >> Domain?

> >> We have a plain Windows 2000 Server / Windows XP Workstation

> >> configuration with a Post of Sale operating in Workgroup mode running

> >> on the same network. A member server that has a logon with Domain

> >> Administrator rights is used by the Point of Sale system and I see

> >> this as a vulnerability because that user can log on to any user

> >> workstation and do whatever they want.

> >> Any suggestions would be greatly appreciated.

> >>

> >> Thank you.

> >

> > Hmmm. Why is your POS product using a domain admin account to run? This is

> > the first place I'd start locking things down. There's no conceivable

> > reason it needs that.

> >

> > Also, I'm unclear on the configuration of your network - you have AD, but

> > you also mention a workgroup. You can do a lot of things with group

> > policy, but they won't affect non-domain-member computers. Can you provide

> > more detail as to your setup?

>

> Thank you for your reply.

>

> You want more detail... you got it... but quite frankly I think that an

> answer to my questions don't warrant the detail and that it will probably

> just bore people and overwhelm them with too much information...

>

> The POS system is a workgroup running on the same network and has its own

> Windows 2000 Server that is joined to the Domain. The POS Server uses a

> domain administrator account so that is can interface with a Property

> Management System that requires administrative rights to work. The Property

> management system has to be part of the domain so that member Workstations

> can use the system while also being connected to the regular Domain file

> server.

>

> But I don't think that knowing all that matters. I am just asking these two

> things with regard to a Windows 2000 Server and Windows XP workstations:

> 1) Is there a way at the workstations level to restrict user logons to

> particular username and if that restriction would apply to a domain

> administrator.

> 2) If I specify the 'Log On To' workstation list in Active Directory does

> that actually restrict logons to workstations for a user accounts that has

> Domain Administrators?

>

> Thank you.

>

>

>

Dragos,

Thank you for your reply. Regarding 2, the 'Log On To' workstation list in

Active Directory does restrict logons to workstations for a user accounts

that has Domain Administrator rights... This won't apply to the machines

that are not members of the domain, will it?

I know trial and error will tell me for certain, but I don't really want to

just guess at this and then be unpleasantly surprised.

Thank you!

 

"Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message

news:2C8D1699-6A5C-4B1D-B541-F48D997A4958@microsoft.com...

> hi,

> 1.check on GPO or on workstation if isn,t joined to domain :

> computer configuration\windows settings\security settings\local

> policies\user rights assignements\allow logon on locally or deny logon

> locally.

> 2. yes

> --

> Dragos CAMARA

> MCSA Windows 2003 server

>

>

> "confused" wrote:

>

>> "Lanwench [MVP - Exchange]"

>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in

>> message

>> news:%23OR0w8xuHHA.4476@TK2MSFTNGP03.phx.gbl...

>> > confused <confused@gmail.com> wrote:

>> >> I need to restrict users logons from our XP Pro workstations to our

>> >> Windows 2000 Server to particular machines.

>> >>

>> >> Ideally I would like to specify at the workstation level who is

>> >> permitted to log on to that workstation but I don't know of any way

>> >> to do that.

>> >> I know that I can specify which machines a particular user is

>> >> permitted to log on to in the user control panel in

>> >> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am

>> >> not sure if it would apply to a domain administrator and if it would

>> >> have any bearing on workgroup computers that are not members of the

>> >> Domain?

>> >> We have a plain Windows 2000 Server / Windows XP Workstation

>> >> configuration with a Post of Sale operating in Workgroup mode running

>> >> on the same network. A member server that has a logon with Domain

>> >> Administrator rights is used by the Point of Sale system and I see

>> >> this as a vulnerability because that user can log on to any user

>> >> workstation and do whatever they want.

>> >> Any suggestions would be greatly appreciated.

>> >>

>> >> Thank you.

>> >

>> > Hmmm. Why is your POS product using a domain admin account to run? This

>> > is

>> > the first place I'd start locking things down. There's no conceivable

>> > reason it needs that.

>> >

>> > Also, I'm unclear on the configuration of your network - you have AD,

>> > but

>> > you also mention a workgroup. You can do a lot of things with group

>> > policy, but they won't affect non-domain-member computers. Can you

>> > provide

>> > more detail as to your setup?

>>

>> Thank you for your reply.

>>

>> You want more detail... you got it... but quite frankly I think that an

>> answer to my questions don't warrant the detail and that it will probably

>> just bore people and overwhelm them with too much information...

>>

>> The POS system is a workgroup running on the same network and has its own

>> Windows 2000 Server that is joined to the Domain. The POS Server uses a

>> domain administrator account so that is can interface with a Property

>> Management System that requires administrative rights to work. The

>> Property

>> management system has to be part of the domain so that member

>> Workstations

>> can use the system while also being connected to the regular Domain file

>> server.

>>

>> But I don't think that knowing all that matters. I am just asking these

>> two

>> things with regard to a Windows 2000 Server and Windows XP workstations:

>> 1) Is there a way at the workstations level to restrict user logons to

>> particular username and if that restriction would apply to a domain

>> administrator.

>> 2) If I specify the 'Log On To' workstation list in Active Directory does

>> that actually restrict logons to workstations for a user accounts that

>> has

>> Domain Administrators?

>>

>> Thank you.

>>

>>

>>

hi,

if the workstation isn't joined to domain you really cant logon with any

domain user on it :), if you reffer to access from network is another thing.

--

Dragos CAMARA

MCSA Windows 2003 server

 

 

"confused" wrote:

> Dragos,

> Thank you for your reply. Regarding 2, the 'Log On To' workstation list in

> Active Directory does restrict logons to workstations for a user accounts

> that has Domain Administrator rights... This won't apply to the machines

> that are not members of the domain, will it?

> I know trial and error will tell me for certain, but I don't really want to

> just guess at this and then be unpleasantly surprised.

> Thank you!

>

> "Dragos CAMARA" <dragos_c@remove-this.hotmail.com> wrote in message

> news:2C8D1699-6A5C-4B1D-B541-F48D997A4958@microsoft.com...

> > hi,

> > 1.check on GPO or on workstation if isn,t joined to domain :

> > computer configuration\windows settings\security settings\local

> > policies\user rights assignements\allow logon on locally or deny logon

> > locally.

> > 2. yes

> > --

> > Dragos CAMARA

> > MCSA Windows 2003 server

> >

> >

> > "confused" wrote:

> >

> >> "Lanwench [MVP - Exchange]"

> >> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in

> >> message

> >> news:%23OR0w8xuHHA.4476@TK2MSFTNGP03.phx.gbl...

> >> > confused <confused@gmail.com> wrote:

> >> >> I need to restrict users logons from our XP Pro workstations to our

> >> >> Windows 2000 Server to particular machines.

> >> >>

> >> >> Ideally I would like to specify at the workstation level who is

> >> >> permitted to log on to that workstation but I don't know of any way

> >> >> to do that.

> >> >> I know that I can specify which machines a particular user is

> >> >> permitted to log on to in the user control panel in

> >> >> ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am

> >> >> not sure if it would apply to a domain administrator and if it would

> >> >> have any bearing on workgroup computers that are not members of the

> >> >> Domain?

> >> >> We have a plain Windows 2000 Server / Windows XP Workstation

> >> >> configuration with a Post of Sale operating in Workgroup mode running

> >> >> on the same network. A member server that has a logon with Domain

> >> >> Administrator rights is used by the Point of Sale system and I see

> >> >> this as a vulnerability because that user can log on to any user

> >> >> workstation and do whatever they want.

> >> >> Any suggestions would be greatly appreciated.

> >> >>

> >> >> Thank you.

> >> >

> >> > Hmmm. Why is your POS product using a domain admin account to run? This

> >> > is

> >> > the first place I'd start locking things down. There's no conceivable

> >> > reason it needs that.

> >> >

> >> > Also, I'm unclear on the configuration of your network - you have AD,

> >> > but

> >> > you also mention a workgroup. You can do a lot of things with group

> >> > policy, but they won't affect non-domain-member computers. Can you

> >> > provide

> >> > more detail as to your setup?

> >>

> >> Thank you for your reply.

> >>

> >> You want more detail... you got it... but quite frankly I think that an

> >> answer to my questions don't warrant the detail and that it will probably

> >> just bore people and overwhelm them with too much information...

> >>

> >> The POS system is a workgroup running on the same network and has its own

> >> Windows 2000 Server that is joined to the Domain. The POS Server uses a

> >> domain administrator account so that is can interface with a Property

> >> Management System that requires administrative rights to work. The

> >> Property

> >> management system has to be part of the domain so that member

> >> Workstations

> >> can use the system while also being connected to the regular Domain file

> >> server.

> >>

> >> But I don't think that knowing all that matters. I am just asking these

> >> two

> >> things with regard to a Windows 2000 Server and Windows XP workstations:

> >> 1) Is there a way at the workstations level to restrict user logons to

> >> particular username and if that restriction would apply to a domain

> >> administrator.

> >> 2) If I specify the 'Log On To' workstation list in Active Directory does

> >> that actually restrict logons to workstations for a user accounts that

> >> has

> >> Domain Administrators?

> >>

> >> Thank you.

> >>

> >>

> >>

>

>

>