?
Solved

W2K domain, W2K Pro clients. Must require local account for logon

Posted on 2003-03-31
5
Medium Priority
?
219 Views
Last Modified: 2013-12-04
We're currently running a W2K Advanced Server. We want our users to log into this domain from ctrl-alt-dlt on their clients. Our client machines are running W2K Professional. On each client machine (roughly 30) we have set up the accounts, around 4-5 per, for the users that are supposed to be able to access that machine. Those users work fine. The problem we've run into is that ANY user with an account on the W2K AS is capable of logging into those machines, regardless of whether they actually have a local account. Obviously this is a Bad Thing(tm). There has to be a security setting somewhere to require a local account in order to access the machine. Can anyone point me in the right direction?

Thanks

-Keisha
0
Comment
Question by:Keisha
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 9

Accepted Solution

by:
MSGeek earned 1000 total points
ID: 8238602
In AD Users & Computers go to the user properties, account tab - logon to button.  Here you can specify which workstations the user is permitted to logon to.
BTW, even though they can logon to another users workstation, it does not mean they can access other users local information, unless you have all users logging in as local administrators.  Why have you created local accounts on each workstation for it's users?  The purpose of having a server is to provide cenralized administration, so you do not have to perform the task of creating user accounts on every workstation.
0
 
LVL 1

Author Comment

by:Keisha
ID: 8239026
Ok, feeling stupid. Thank you so much. The answer to why we're creating local accounts is simply that I didn't know what you described was possible. I'm our Linux person, W2K is new to my entire department in any case.

Thanks again

-Keisha
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8239060
I'd be in the same shoes if it was Linux issue.  Glad I could help.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8248936
KEISHA... being new to W2k, there is a little risk that you could misunderstand the answer from MSGEEK "unless you have all users logging in as local administrators"

Now - MSGEEK did'nt advise to do that, he did advise you to use AD Users & Computers, BUT ...

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734


IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

MSGEEK... Maybee you thaught I missed this one?

;o) Not going for your shoes, but running after the ball. Greatings!!!
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8249020
Naaah.. why would I think that?  :)
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month10 days, 20 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question