Solved

Restricted access on a windows 2000 domain

Posted on 2004-10-27
244 Views
Last Modified: 2013-12-04
I have a workstation in a high traffic area, and would like to restrict access to this workstation to a single user on the domain.  How would I go about doing this?
0
Question by:netlinger
    11 Comments
     
    LVL 82

    Expert Comment

    by:oBdA
    In your domain, create a new global security group, for example "G-LocalLogon". Make the user(s) in question member of this group.
    On the machine in question, create a new group, for example "L-LocalLogon". Add the global group you created to this local group.
    Go to Administrative Tools, start Local Security Policy.
    Go to Local Policies\User Permissions, and edit the "Local Logon" policy: remove the User, Guest, and Powr Users accounts (but leave the Administrators and Backup Operators!), and add the "L-LocalLogon" group instead.
    This allows you easy administration; if another user needs access to this workstation, you can simply add him to the global security group.
    0
     
    LVL 5

    Expert Comment

    by:map000
    or you can add a filter using Ipsec (if it's a win 2k/2k3 workstation)
    0
     

    Author Comment

    by:netlinger
    oBdA,

    If I understand your answer this is a solution to allow a domain member to logon locally to a workstation, I need the person to be able to logon to the domain, and restrict it to just that user.  The workstation is a receptionist desk where everyone comes in at our church, Im tring to prevent things like one of the other pastors from logon on with there logon and letting their kids play games on that machine... and other misuses of this workstation.

    I figured if I could limit the domain logon to just the receptionist and block or deny all others I would have achieved my goal.  Currently no one in our organization except the sys admin can logon locally to a machine.

    thank you.
    0
     

    Author Comment

    by:netlinger
    map000,

    could you tell me more about this IPsec filter?
    0
     
    LVL 82

    Expert Comment

    by:oBdA
    Nope, this solution prevents users other than administrators and members of the (domain group!) G_LocalLogon group to logon to the machine in question.
    Local Logon is a privilege any user logging on to any machine must have. On workstations, this permission is granted by default to the local group "Users" (among others). When the machine is joined to a domain, the global group "Domain Users" is automatically added to the local group "Users", and that gives a domain user the right to logon to the machine using the domain account.
    Remove the Users group from the Local Logon permissions, and no domain user (except Administrators) will be able to logon to the machine. Again: do NOT remove the Administrators group!
    The method I described is the proper way permissions should be granted in an NT domain: "AGLP" - Accounts go into Global groups, global groups go into Local groups, Permissions are assigned to local groups. And, yes, in principle, it would work if you added the user account directly, but assigning permissions this way will pretty soon lead to an administrative nightmare.
    0
     
    LVL 5

    Expert Comment

    by:map000
    can you be more specific?
    do you want that user to log on locally or from the network?
    0
     

    Author Comment

    by:netlinger
    oBdA,

    Ok I followed the instructions, created the Global group on the DC
    Created the Local Group on the Workstation
    Removed power users, users and guests leaving only the Admin and backup operators groups
    everything is done, and still my domain members can log this machine on to the network.

    map000,
    I wan to allow only 1 domain member to beable to logon to the network from this workstation.
    0
     

    Author Comment

    by:netlinger
    ObdA cont.,

    I neglected to state that I added the user to the Global DC group and I added this Global group to the Local Group on the workstation.
    0
     
    LVL 82

    Accepted Solution

    by:
    Sorry for asking, but I've seen this happen before: are your domain users members of the Domain Administrators group, or is another group except Domain Admins member of the local group Administrators on this workstation?
    0
     
    LVL 5

    Expert Comment

    by:map000
    netlinger, thanks for your specification
    OdbA's solution it's ok
    first I thought it's about the access from the network
    0
     

    Author Comment

    by:netlinger
    I will check on that machine and see.  Some of my machines require domain users to be added to the local administrators group for some software to function correctly.  I will get back to you.

    Thanks
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free camera licenses with purchase of My Cloud NAS

    Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    This video Micro Tutorial is the second in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles a…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now