Solved

Blocking user computer access on a network

Posted on 2003-11-04
19
227 Views
Last Modified: 2010-08-05
What is the best way to lock a computer down to the point that only a single user account can login to it along with the administrator?  We want to block all users except one on multiple systems.  I can see how you can block individual users using GPO but how would you do the opposite and only allow certain users?
0
Comment
Question by:JeremyPurcell
  • 7
  • 6
  • 2
  • +1
19 Comments
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
So, you want to make sure that ONLY the administrator or the person to whom a PC has been assigned can log into a PC, is that correct?

There are ways to do this, but you need to tell us more about your environment.  Desktop OS, server OS, etc.
0
 

Author Comment

by:JeremyPurcell
Comment Utility
Yes that is what I am looking for.  We are running a Windows 2000 domain running Windows XP clients.  We thought of creating a group with all users except the one with access and blocking that group, but this doesn't seem like the best possible solution, especially if you have to do this to more than 500 systems.
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 63 total points
Comment Utility
Hmmm...

A policy is the best way to do this, IMHO.  Exactly how to set up the policy, I will have to defer to other Experts, as I haven't gotten that far in my brushup studies on Win2K/Win2K3 server.
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
There are several possibilities I can think of at the moment.
GPOs won't help you much; you want to "individualize" the machines, and GPOs are meant to handle groups ...
In the user's profile, you can specify the machines on which he is allowed to logon. That is not exactly what you want, though, because users for which there is no machine specified will still be able to logon to other machines. If this is a restriction that is to be be applied to most users, it should do the trick, though. The advantage is that it's scriptable and changes need only to be done on the server.
The "proper" way in terms of controlling resource access is of course the local security policy; remove the "log on locally" right for Users. Create a local group, for example "L-LocalLogon"; assign this group the right to logon locally. Theoretically, you'd now create a global group, put the user(s) in the global group, and make the global group member of the local group; in your case, this is a special situation, so just go ahead and add the user's domain account directly to the local group. Of course, this involves a (one time) setup on each client. If you have the Resource Kit, this could be scripted.
A third solution would be possible if there is a connection between the machine name and the user that is allowed on it (something like "WS00001" and "User00001"); you could then use the logon script to match (parts of) the user name against (parts of) the machine name and log off the user if they don't match. This could also be done easily by keeping a list on a share and comparing against that list. This solution would be the easiest to implement, but it is not tamper proof, since the user could cancel the logon script before the match takes place.
0
 
LVL 4

Expert Comment

by:Wiired
Comment Utility
With windows XP workstations, this is relatively easy. You can create a local computer policy that will allow or deny local login rights as needed, as well as a slew of other things.

If you use the MMC console, chose "Group Policy" for the local machine. In "windows Settings", choose "Local Policies" -> "User Rights Assignments"

Everything you need is there.

Hope this helps.
0
 
LVL 4

Expert Comment

by:Wiired
Comment Utility
Sorry...missed a step.

Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Wiired - is there a way to do that centrally from the server?  IIRC this kind of stuff is part of Intelimirror technology, but I don't know if you need to buy SMS to get this or if you can just set a policy at the server side.

I know how to do it using Novell ZENworks, but not with 'vanilla" Windows...
0
 
LVL 4

Expert Comment

by:Wiired
Comment Utility
I don't think that this can be done server side due to the individual logins needed for each different workstations. If the same user was the only user who could access all the locked down systems, then Im sure it could happen.

Kinda a pain in the ass to do each WS individualy, but as far as I know it is the only way. At least you only have to do it once....  :-)

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
That's where tools like ZEN for Desktops come in handy.  I'd bet ZFD could do this centrally.  I know ZFD could do all the ZAK stuff and more before Microsoft even released Win2K to production.

SMS 2003 might be able to do it, too.  Don't know.
0
 
LVL 4

Expert Comment

by:Wiired
Comment Utility
SMS might do the trick, if you want to spend the $$$$

Probably might be worth it if you had a few thousand boxes to run, that aside, I'd rather do it manually :-)

0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Manually once, yes.  If I have to do it six times a year, I'd rather spend some bux, even with only 50 PCs.
0
 
LVL 4

Expert Comment

by:Wiired
Comment Utility
Hmmm...wondering if this can be scripted into an existing unattended install script for future use.....???

I agree, I dont like doing more work than necessary either. I guess the question here is how often this would have to be done.

I did this scenario on all the executive desktops last year, and I havent had to do it again as of yet  

<knocking HARD on wood...>
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
I hear you knocking.  You must be knocking REALLY hard... ;)
0
 
LVL 4

Expert Comment

by:Wiired
Comment Utility
Have to knock hard....Here I have to deal with "Cluless Executive Computer Syndrome"

<CEO phone call> "Remember the virus file you told me not to open.....?"


0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
LOL
0
 

Author Comment

by:JeremyPurcell
Comment Utility
I mistakenly said that the cliet is a 200 machine when it is really an XP machine. I don't see Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments there.
0
 
LVL 82

Assisted Solution

by:oBdA
oBdA earned 62 total points
Comment Utility
You'll find the local security policy at Start/Programs/Administration/Local Security Policy (or simply enter "secpol.msc" in a command window or the run menu).
You'll find a setting there to "Deny local logon right" as well. You don't need this. A deny overrules the logon permission; if you came up with the idea (those things have happened before) to deny logon to users and to allow logon for administrators only, you'll find yourself locked out of the machine, because administrators are users as well ...
And as I said before: don't assign the logon right directly to individual users. Create a local group on the machine, assign the right to this group, remove "Users" (and maybe "Power Users") from the "local logon", depending on your desired setup. Make the users allowed to logon to the machine member of this group.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now