Restricted access on a windows 2000 domain

I have a workstation in a high traffic area, and would like to restrict access to this workstation to a single user on the domain.  How would I go about doing this?
netlingerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
In your domain, create a new global security group, for example "G-LocalLogon". Make the user(s) in question member of this group.
On the machine in question, create a new group, for example "L-LocalLogon". Add the global group you created to this local group.
Go to Administrative Tools, start Local Security Policy.
Go to Local Policies\User Permissions, and edit the "Local Logon" policy: remove the User, Guest, and Powr Users accounts (but leave the Administrators and Backup Operators!), and add the "L-LocalLogon" group instead.
This allows you easy administration; if another user needs access to this workstation, you can simply add him to the global security group.
0
map000Commented:
or you can add a filter using Ipsec (if it's a win 2k/2k3 workstation)
0
netlingerAuthor Commented:
oBdA,

If I understand your answer this is a solution to allow a domain member to logon locally to a workstation, I need the person to be able to logon to the domain, and restrict it to just that user.  The workstation is a receptionist desk where everyone comes in at our church, Im tring to prevent things like one of the other pastors from logon on with there logon and letting their kids play games on that machine... and other misuses of this workstation.

I figured if I could limit the domain logon to just the receptionist and block or deny all others I would have achieved my goal.  Currently no one in our organization except the sys admin can logon locally to a machine.

thank you.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

netlingerAuthor Commented:
map000,

could you tell me more about this IPsec filter?
0
oBdACommented:
Nope, this solution prevents users other than administrators and members of the (domain group!) G_LocalLogon group to logon to the machine in question.
Local Logon is a privilege any user logging on to any machine must have. On workstations, this permission is granted by default to the local group "Users" (among others). When the machine is joined to a domain, the global group "Domain Users" is automatically added to the local group "Users", and that gives a domain user the right to logon to the machine using the domain account.
Remove the Users group from the Local Logon permissions, and no domain user (except Administrators) will be able to logon to the machine. Again: do NOT remove the Administrators group!
The method I described is the proper way permissions should be granted in an NT domain: "AGLP" - Accounts go into Global groups, global groups go into Local groups, Permissions are assigned to local groups. And, yes, in principle, it would work if you added the user account directly, but assigning permissions this way will pretty soon lead to an administrative nightmare.
0
map000Commented:
can you be more specific?
do you want that user to log on locally or from the network?
0
netlingerAuthor Commented:
oBdA,

Ok I followed the instructions, created the Global group on the DC
Created the Local Group on the Workstation
Removed power users, users and guests leaving only the Admin and backup operators groups
everything is done, and still my domain members can log this machine on to the network.

map000,
I wan to allow only 1 domain member to beable to logon to the network from this workstation.
0
netlingerAuthor Commented:
ObdA cont.,

I neglected to state that I added the user to the Global DC group and I added this Global group to the Local Group on the workstation.
0
oBdACommented:
Sorry for asking, but I've seen this happen before: are your domain users members of the Domain Administrators group, or is another group except Domain Admins member of the local group Administrators on this workstation?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
map000Commented:
netlinger, thanks for your specification
OdbA's solution it's ok
first I thought it's about the access from the network
0
netlingerAuthor Commented:
I will check on that machine and see.  Some of my machines require domain users to be added to the local administrators group for some software to function correctly.  I will get back to you.

Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.