Blocking user computer access on a network

What is the best way to lock a computer down to the point that only a single user account can login to it along with the administrator?  We want to block all users except one on multiple systems.  I can see how you can block individual users using GPO but how would you do the opposite and only allow certain users?
JeremyPurcellAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ShineOnCommented:
So, you want to make sure that ONLY the administrator or the person to whom a PC has been assigned can log into a PC, is that correct?

There are ways to do this, but you need to tell us more about your environment.  Desktop OS, server OS, etc.
JeremyPurcellAuthor Commented:
Yes that is what I am looking for.  We are running a Windows 2000 domain running Windows XP clients.  We thought of creating a group with all users except the one with access and blocking that group, but this doesn't seem like the best possible solution, especially if you have to do this to more than 500 systems.
ShineOnCommented:
Hmmm...

A policy is the best way to do this, IMHO.  Exactly how to set up the policy, I will have to defer to other Experts, as I haven't gotten that far in my brushup studies on Win2K/Win2K3 server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

oBdACommented:
There are several possibilities I can think of at the moment.
GPOs won't help you much; you want to "individualize" the machines, and GPOs are meant to handle groups ...
In the user's profile, you can specify the machines on which he is allowed to logon. That is not exactly what you want, though, because users for which there is no machine specified will still be able to logon to other machines. If this is a restriction that is to be be applied to most users, it should do the trick, though. The advantage is that it's scriptable and changes need only to be done on the server.
The "proper" way in terms of controlling resource access is of course the local security policy; remove the "log on locally" right for Users. Create a local group, for example "L-LocalLogon"; assign this group the right to logon locally. Theoretically, you'd now create a global group, put the user(s) in the global group, and make the global group member of the local group; in your case, this is a special situation, so just go ahead and add the user's domain account directly to the local group. Of course, this involves a (one time) setup on each client. If you have the Resource Kit, this could be scripted.
A third solution would be possible if there is a connection between the machine name and the user that is allowed on it (something like "WS00001" and "User00001"); you could then use the logon script to match (parts of) the user name against (parts of) the machine name and log off the user if they don't match. This could also be done easily by keeping a list on a share and comparing against that list. This solution would be the easiest to implement, but it is not tamper proof, since the user could cancel the logon script before the match takes place.
WiiredCommented:
With windows XP workstations, this is relatively easy. You can create a local computer policy that will allow or deny local login rights as needed, as well as a slew of other things.

If you use the MMC console, chose "Group Policy" for the local machine. In "windows Settings", choose "Local Policies" -> "User Rights Assignments"

Everything you need is there.

Hope this helps.
WiiredCommented:
Sorry...missed a step.

Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments.
ShineOnCommented:
Wiired - is there a way to do that centrally from the server?  IIRC this kind of stuff is part of Intelimirror technology, but I don't know if you need to buy SMS to get this or if you can just set a policy at the server side.

I know how to do it using Novell ZENworks, but not with 'vanilla" Windows...
WiiredCommented:
I don't think that this can be done server side due to the individual logins needed for each different workstations. If the same user was the only user who could access all the locked down systems, then Im sure it could happen.

Kinda a pain in the ass to do each WS individualy, but as far as I know it is the only way. At least you only have to do it once....  :-)

ShineOnCommented:
That's where tools like ZEN for Desktops come in handy.  I'd bet ZFD could do this centrally.  I know ZFD could do all the ZAK stuff and more before Microsoft even released Win2K to production.

SMS 2003 might be able to do it, too.  Don't know.
WiiredCommented:
SMS might do the trick, if you want to spend the $$$$

Probably might be worth it if you had a few thousand boxes to run, that aside, I'd rather do it manually :-)

ShineOnCommented:
Manually once, yes.  If I have to do it six times a year, I'd rather spend some bux, even with only 50 PCs.
WiiredCommented:
Hmmm...wondering if this can be scripted into an existing unattended install script for future use.....???

I agree, I dont like doing more work than necessary either. I guess the question here is how often this would have to be done.

I did this scenario on all the executive desktops last year, and I havent had to do it again as of yet  

<knocking HARD on wood...>
ShineOnCommented:
I hear you knocking.  You must be knocking REALLY hard... ;)
WiiredCommented:
Have to knock hard....Here I have to deal with "Cluless Executive Computer Syndrome"

<CEO phone call> "Remember the virus file you told me not to open.....?"


ShineOnCommented:
LOL
JeremyPurcellAuthor Commented:
I mistakenly said that the cliet is a 200 machine when it is really an XP machine. I don't see Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments there.
oBdACommented:
You'll find the local security policy at Start/Programs/Administration/Local Security Policy (or simply enter "secpol.msc" in a command window or the run menu).
You'll find a setting there to "Deny local logon right" as well. You don't need this. A deny overrules the logon permission; if you came up with the idea (those things have happened before) to deny logon to users and to allow logon for administrators only, you'll find yourself locked out of the machine, because administrators are users as well ...
And as I said before: don't assign the logon right directly to individual users. Create a local group on the machine, assign the right to this group, remove "Users" (and maybe "Power Users") from the "local logon", depending on your desired setup. Make the users allowed to logon to the machine member of this group.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.