Solved

Blocking user computer access on a network

Posted on 2003-11-04
19
274 Views
Last Modified: 2010-08-05
What is the best way to lock a computer down to the point that only a single user account can login to it along with the administrator?  We want to block all users except one on multiple systems.  I can see how you can block individual users using GPO but how would you do the opposite and only allow certain users?
0
Comment
Question by:JeremyPurcell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
  • +1
19 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 9681407
So, you want to make sure that ONLY the administrator or the person to whom a PC has been assigned can log into a PC, is that correct?

There are ways to do this, but you need to tell us more about your environment.  Desktop OS, server OS, etc.
0
 

Author Comment

by:JeremyPurcell
ID: 9681604
Yes that is what I am looking for.  We are running a Windows 2000 domain running Windows XP clients.  We thought of creating a group with all users except the one with access and blocking that group, but this doesn't seem like the best possible solution, especially if you have to do this to more than 500 systems.
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 63 total points
ID: 9681943
Hmmm...

A policy is the best way to do this, IMHO.  Exactly how to set up the policy, I will have to defer to other Experts, as I haven't gotten that far in my brushup studies on Win2K/Win2K3 server.
0
WordPress Tutorial 1: Installation & Setup

WordPress is a very popular option for running your web site and can be used to get your content online quickly for the world to see. This guide will walk you through installing the WordPress server software and the initial setup process.

 
LVL 85

Expert Comment

by:oBdA
ID: 9682774
There are several possibilities I can think of at the moment.
GPOs won't help you much; you want to "individualize" the machines, and GPOs are meant to handle groups ...
In the user's profile, you can specify the machines on which he is allowed to logon. That is not exactly what you want, though, because users for which there is no machine specified will still be able to logon to other machines. If this is a restriction that is to be be applied to most users, it should do the trick, though. The advantage is that it's scriptable and changes need only to be done on the server.
The "proper" way in terms of controlling resource access is of course the local security policy; remove the "log on locally" right for Users. Create a local group, for example "L-LocalLogon"; assign this group the right to logon locally. Theoretically, you'd now create a global group, put the user(s) in the global group, and make the global group member of the local group; in your case, this is a special situation, so just go ahead and add the user's domain account directly to the local group. Of course, this involves a (one time) setup on each client. If you have the Resource Kit, this could be scripted.
A third solution would be possible if there is a connection between the machine name and the user that is allowed on it (something like "WS00001" and "User00001"); you could then use the logon script to match (parts of) the user name against (parts of) the machine name and log off the user if they don't match. This could also be done easily by keeping a list on a share and comparing against that list. This solution would be the easiest to implement, but it is not tamper proof, since the user could cancel the logon script before the match takes place.
0
 
LVL 4

Expert Comment

by:Wiired
ID: 9683040
With windows XP workstations, this is relatively easy. You can create a local computer policy that will allow or deny local login rights as needed, as well as a slew of other things.

If you use the MMC console, chose "Group Policy" for the local machine. In "windows Settings", choose "Local Policies" -> "User Rights Assignments"

Everything you need is there.

Hope this helps.
0
 
LVL 4

Expert Comment

by:Wiired
ID: 9683053
Sorry...missed a step.

Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9683105
Wiired - is there a way to do that centrally from the server?  IIRC this kind of stuff is part of Intelimirror technology, but I don't know if you need to buy SMS to get this or if you can just set a policy at the server side.

I know how to do it using Novell ZENworks, but not with 'vanilla" Windows...
0
 
LVL 4

Expert Comment

by:Wiired
ID: 9683167
I don't think that this can be done server side due to the individual logins needed for each different workstations. If the same user was the only user who could access all the locked down systems, then Im sure it could happen.

Kinda a pain in the ass to do each WS individualy, but as far as I know it is the only way. At least you only have to do it once....  :-)

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9683201
That's where tools like ZEN for Desktops come in handy.  I'd bet ZFD could do this centrally.  I know ZFD could do all the ZAK stuff and more before Microsoft even released Win2K to production.

SMS 2003 might be able to do it, too.  Don't know.
0
 
LVL 4

Expert Comment

by:Wiired
ID: 9683274
SMS might do the trick, if you want to spend the $$$$

Probably might be worth it if you had a few thousand boxes to run, that aside, I'd rather do it manually :-)

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9683285
Manually once, yes.  If I have to do it six times a year, I'd rather spend some bux, even with only 50 PCs.
0
 
LVL 4

Expert Comment

by:Wiired
ID: 9683345
Hmmm...wondering if this can be scripted into an existing unattended install script for future use.....???

I agree, I dont like doing more work than necessary either. I guess the question here is how often this would have to be done.

I did this scenario on all the executive desktops last year, and I havent had to do it again as of yet  

<knocking HARD on wood...>
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9683369
I hear you knocking.  You must be knocking REALLY hard... ;)
0
 
LVL 4

Expert Comment

by:Wiired
ID: 9683386
Have to knock hard....Here I have to deal with "Cluless Executive Computer Syndrome"

<CEO phone call> "Remember the virus file you told me not to open.....?"


0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9683393
LOL
0
 

Author Comment

by:JeremyPurcell
ID: 9698918
I mistakenly said that the cliet is a 200 machine when it is really an XP machine. I don't see Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments there.
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 62 total points
ID: 9699542
You'll find the local security policy at Start/Programs/Administration/Local Security Policy (or simply enter "secpol.msc" in a command window or the run menu).
You'll find a setting there to "Deny local logon right" as well. You don't need this. A deny overrules the logon permission; if you came up with the idea (those things have happened before) to deny logon to users and to allow logon for administrators only, you'll find yourself locked out of the machine, because administrators are users as well ...
And as I said before: don't assign the logon right directly to individual users. Create a local group on the machine, assign the right to this group, remove "Users" (and maybe "Power Users") from the "local logon", depending on your desired setup. Make the users allowed to logon to the machine member of this group.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question