Help: How to allow only my account be loged on locally?

sthay
sthay used Ask the Experts™
on
Dear Experts,

I have W2KPro joined the W2K domain. As my computer has some sensitive information, I would not prefer domain/admins users to log on into my computer locally. Notice that I have removed Domain Admins group from my local Administrators local group replaced with my domain account only so I would remotely can access my computer from every workstation.

Now, all domain users have not preconfigured within a log on into workstation restriction. And this is good since we want to allow any users to log on from any workstation.

The question is how to allow only my account be loged on localy on my W2KPro machine?

Thanks in advance for any of your advise.

Rgds,
Sot
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Try running mmc, and adding the Local Computer Policies snap-in. Open Computer Configuration, Windows settings, Security settings, User rights Assignments, Log on Locally.

Just a question, isn't it that when you are on a domain, the local computer policies is overshadowed by the domain policies? Or is it the other way around?
You may wan to do the same thing on your server, as you probably do not want users logging on at the server either.
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.


Domain policies take precedence over local policies.

There is one problem with this situation.  Being admins
they can very easily change your network password and logon as you.

If this data is really that sensitive I suggest looking
into EFS encrypted file system.  You can truly lock down
data from prying eyes even if your account is compromised.
First of all, understand that there is an administrative share C$ etc., that is accessable to any Administrator.  So any Admin can connect to your PC if they want to.

However if its an NTFS partition, then there is security.  

Go to the drive or folder, right click, properties, security and give yourself and only yourself full control.  If no one else has rights, they can't read, or write to the drive/folder.

If its not NTFS, then there isn't much you can do because anyone with a DOS disk can get to your data.

You can also encript your data if your really concerned about security, then only you, or someone you give the security key to, can see the data.

Harry
Ok, well I think the first person in the highest administrators group also has a key - but they may not know it LOL

Author

Commented:
Thanks very much for those who contributed answer to my earlier question.

I might have not described my problem clearly. Anyways, is it possible to allow only my domain account to be used to log on to my local computer?

FYI, no members of the Domain Admins could gain access to my W2KPro remotely because I have removed DOMAIN\Domain Admins group from Administrators local group. Now, all domain users account including Domain Admins can sit and log on to my computer localy whenever I was out of my office. And this should be prevented.

Thanks once again for your guidance!

Rgds,
Sot

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial