McRight
asked on
DENY LOG ON LOCALLY
How can i prevent users log on locally when connected to the domain.
Some inventory tools and domain policies must be applied when connected to the domain.
Portable users may log on locally at home.
Thanks
Some inventory tools and domain policies must be applied when connected to the domain.
Portable users may log on locally at home.
Thanks
What OS are you using? If it's NT, W2K or XP you can use User Rights or Group Policies, User Roghts in an NT domain and group policies in a W2K domain. Why do you want to deny "log in locally"? If you set the user right to deny "log in locally" users will not be able to log on to their machines. Be careful how you apply this!
For machines that you don;t want them to log on locally to simply put a password for administrator and don't tell them what it is.
You may consider letting them logon locally as user but not as administrator; this will stop them installing software, if this is what you want.
You may consider letting them logon locally as user but not as administrator; this will stop them installing software, if this is what you want.
Click on "start" then "programs" then "adminsitrative tools" and choose "local security policy"...once there expand the "local policies folder" and highlight the "user right assignments" folder.......look on the right ha\nd side and youll see the "deny logon locally" option......double click on it and click on the "add button".....once there add the name of the user/s that you dont want to be able to logon locally to the server.....this will block them frm loging in to the server sitting at the server itself...if they try to access files from their local computers they will be able to access the server files fine.
ASKER
i'm talking about a domain with group policies
no, user still has to be admin of his own portable
no, user still has to be admin of his own portable
Go to the properties of the Group Policy for the domain. EDIT it.
Unser
Computer Configuration
Security Settings
Local Policies
User Rights Assignment
There is an OPTION LOG ON LOCALLY. SET IT TO DISABLED.
Unser
Computer Configuration
Security Settings
Local Policies
User Rights Assignment
There is an OPTION LOG ON LOCALLY. SET IT TO DISABLED.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Bro - this is exactly what I'm talking about. Deny the domain users group at the domain level the right to log on locally. Now no one can get into their computer. You are now a friend of Monster.com looking for new opportunities in the IT field, and you know exactly how to get fired from your next job!
I don't get what you want.
If you give the user the right to log on locally, which he will need for his machine at home, then he has got that right. If he logs on to the domain he's not logged on locally. Presumably what you want to stop is him logging on locally with his machine connected to the network. The question is why? If yoiu have your network secure there is nothing he can do, though obviously people can do things to his machine if he has set up unsecured shares. Are you worried about his having installed pirate software at home. Then don't give him admin rights to the machine.
If you give the user the right to log on locally, which he will need for his machine at home, then he has got that right. If he logs on to the domain he's not logged on locally. Presumably what you want to stop is him logging on locally with his machine connected to the network. The question is why? If yoiu have your network secure there is nothing he can do, though obviously people can do things to his machine if he has set up unsecured shares. Are you worried about his having installed pirate software at home. Then don't give him admin rights to the machine.
Ocon, thank you for the correction, I didn't thoroughly read your post. Off to Monster.com I go. =)
ASKER
hmm, looks like a personal vendetta is fought out here.... :)
the trick about my question is that the portable users have admin rights on their local machines
the fact is when they connect to the network, they should log on to the domain, otherwise i can't sniff their portables for unallowed software (the login script is executing an inventory program)
so there must be a way to prevent them to connect to domainresources when not logged on to the domain; they can however fool around by creating local accounts with the same passwords as on the domain to bypass this or connecting to the terminal server from the inside like they do at home.
Pretty impossible but hey, that's why i ask the question here ....
the trick about my question is that the portable users have admin rights on their local machines
the fact is when they connect to the network, they should log on to the domain, otherwise i can't sniff their portables for unallowed software (the login script is executing an inventory program)
so there must be a way to prevent them to connect to domainresources when not logged on to the domain; they can however fool around by creating local accounts with the same passwords as on the domain to bypass this or connecting to the terminal server from the inside like they do at home.
Pretty impossible but hey, that's why i ask the question here ....
If you don't want them to install unallowed software why are you giving them admin rights on their machines. Call the laptops in, change the administrator password and don't tell them what it is. They can do fine with user or power user.
You should be able to stop them accessing any domain resources when not logged on to the domain; it's up to you to set the security permissions. Local accounts with the same password will produce different SAT's than the domain ones.
You should be able to stop them accessing any domain resources when not logged on to the domain; it's up to you to set the security permissions. Local accounts with the same password will produce different SAT's than the domain ones.
ASKER
had to close this question ; thanks to ocon for having the most characters posted :)
i created a dedicated ou for the person's computer account
he is enforced now to log on to the domain; even at home :)
i created a dedicated ou for the person's computer account
he is enforced now to log on to the domain; even at home :)