Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 279
  • Last Modified:

Blocking user computer access on a network

What is the best way to lock a computer down to the point that only a single user account can login to it along with the administrator?  We want to block all users except one on multiple systems.  I can see how you can block individual users using GPO but how would you do the opposite and only allow certain users?
0
JeremyPurcell
Asked:
JeremyPurcell
  • 7
  • 6
  • 2
  • +1
2 Solutions
 
ShineOnCommented:
So, you want to make sure that ONLY the administrator or the person to whom a PC has been assigned can log into a PC, is that correct?

There are ways to do this, but you need to tell us more about your environment.  Desktop OS, server OS, etc.
0
 
JeremyPurcellAuthor Commented:
Yes that is what I am looking for.  We are running a Windows 2000 domain running Windows XP clients.  We thought of creating a group with all users except the one with access and blocking that group, but this doesn't seem like the best possible solution, especially if you have to do this to more than 500 systems.
0
 
ShineOnCommented:
Hmmm...

A policy is the best way to do this, IMHO.  Exactly how to set up the policy, I will have to defer to other Experts, as I haven't gotten that far in my brushup studies on Win2K/Win2K3 server.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
oBdACommented:
There are several possibilities I can think of at the moment.
GPOs won't help you much; you want to "individualize" the machines, and GPOs are meant to handle groups ...
In the user's profile, you can specify the machines on which he is allowed to logon. That is not exactly what you want, though, because users for which there is no machine specified will still be able to logon to other machines. If this is a restriction that is to be be applied to most users, it should do the trick, though. The advantage is that it's scriptable and changes need only to be done on the server.
The "proper" way in terms of controlling resource access is of course the local security policy; remove the "log on locally" right for Users. Create a local group, for example "L-LocalLogon"; assign this group the right to logon locally. Theoretically, you'd now create a global group, put the user(s) in the global group, and make the global group member of the local group; in your case, this is a special situation, so just go ahead and add the user's domain account directly to the local group. Of course, this involves a (one time) setup on each client. If you have the Resource Kit, this could be scripted.
A third solution would be possible if there is a connection between the machine name and the user that is allowed on it (something like "WS00001" and "User00001"); you could then use the logon script to match (parts of) the user name against (parts of) the machine name and log off the user if they don't match. This could also be done easily by keeping a list on a share and comparing against that list. This solution would be the easiest to implement, but it is not tamper proof, since the user could cancel the logon script before the match takes place.
0
 
WiiredCommented:
With windows XP workstations, this is relatively easy. You can create a local computer policy that will allow or deny local login rights as needed, as well as a slew of other things.

If you use the MMC console, chose "Group Policy" for the local machine. In "windows Settings", choose "Local Policies" -> "User Rights Assignments"

Everything you need is there.

Hope this helps.
0
 
WiiredCommented:
Sorry...missed a step.

Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments.
0
 
ShineOnCommented:
Wiired - is there a way to do that centrally from the server?  IIRC this kind of stuff is part of Intelimirror technology, but I don't know if you need to buy SMS to get this or if you can just set a policy at the server side.

I know how to do it using Novell ZENworks, but not with 'vanilla" Windows...
0
 
WiiredCommented:
I don't think that this can be done server side due to the individual logins needed for each different workstations. If the same user was the only user who could access all the locked down systems, then Im sure it could happen.

Kinda a pain in the ass to do each WS individualy, but as far as I know it is the only way. At least you only have to do it once....  :-)

0
 
ShineOnCommented:
That's where tools like ZEN for Desktops come in handy.  I'd bet ZFD could do this centrally.  I know ZFD could do all the ZAK stuff and more before Microsoft even released Win2K to production.

SMS 2003 might be able to do it, too.  Don't know.
0
 
WiiredCommented:
SMS might do the trick, if you want to spend the $$$$

Probably might be worth it if you had a few thousand boxes to run, that aside, I'd rather do it manually :-)

0
 
ShineOnCommented:
Manually once, yes.  If I have to do it six times a year, I'd rather spend some bux, even with only 50 PCs.
0
 
WiiredCommented:
Hmmm...wondering if this can be scripted into an existing unattended install script for future use.....???

I agree, I dont like doing more work than necessary either. I guess the question here is how often this would have to be done.

I did this scenario on all the executive desktops last year, and I havent had to do it again as of yet  

<knocking HARD on wood...>
0
 
ShineOnCommented:
I hear you knocking.  You must be knocking REALLY hard... ;)
0
 
WiiredCommented:
Have to knock hard....Here I have to deal with "Cluless Executive Computer Syndrome"

<CEO phone call> "Remember the virus file you told me not to open.....?"


0
 
ShineOnCommented:
LOL
0
 
JeremyPurcellAuthor Commented:
I mistakenly said that the cliet is a 200 machine when it is really an XP machine. I don't see Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments there.
0
 
oBdACommented:
You'll find the local security policy at Start/Programs/Administration/Local Security Policy (or simply enter "secpol.msc" in a command window or the run menu).
You'll find a setting there to "Deny local logon right" as well. You don't need this. A deny overrules the logon permission; if you came up with the idea (those things have happened before) to deny logon to users and to allow logon for administrators only, you'll find yourself locked out of the machine, because administrators are users as well ...
And as I said before: don't assign the logon right directly to individual users. Create a local group on the machine, assign the right to this group, remove "Users" (and maybe "Power Users") from the "local logon", depending on your desired setup. Make the users allowed to logon to the machine member of this group.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now