• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

Restricted access on a windows 2000 domain

I have a workstation in a high traffic area, and would like to restrict access to this workstation to a single user on the domain.  How would I go about doing this?
0
netlinger
Asked:
netlinger
  • 5
  • 3
  • 3
1 Solution
 
oBdACommented:
In your domain, create a new global security group, for example "G-LocalLogon". Make the user(s) in question member of this group.
On the machine in question, create a new group, for example "L-LocalLogon". Add the global group you created to this local group.
Go to Administrative Tools, start Local Security Policy.
Go to Local Policies\User Permissions, and edit the "Local Logon" policy: remove the User, Guest, and Powr Users accounts (but leave the Administrators and Backup Operators!), and add the "L-LocalLogon" group instead.
This allows you easy administration; if another user needs access to this workstation, you can simply add him to the global security group.
0
 
map000Commented:
or you can add a filter using Ipsec (if it's a win 2k/2k3 workstation)
0
 
netlingerAuthor Commented:
oBdA,

If I understand your answer this is a solution to allow a domain member to logon locally to a workstation, I need the person to be able to logon to the domain, and restrict it to just that user.  The workstation is a receptionist desk where everyone comes in at our church, Im tring to prevent things like one of the other pastors from logon on with there logon and letting their kids play games on that machine... and other misuses of this workstation.

I figured if I could limit the domain logon to just the receptionist and block or deny all others I would have achieved my goal.  Currently no one in our organization except the sys admin can logon locally to a machine.

thank you.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
netlingerAuthor Commented:
map000,

could you tell me more about this IPsec filter?
0
 
oBdACommented:
Nope, this solution prevents users other than administrators and members of the (domain group!) G_LocalLogon group to logon to the machine in question.
Local Logon is a privilege any user logging on to any machine must have. On workstations, this permission is granted by default to the local group "Users" (among others). When the machine is joined to a domain, the global group "Domain Users" is automatically added to the local group "Users", and that gives a domain user the right to logon to the machine using the domain account.
Remove the Users group from the Local Logon permissions, and no domain user (except Administrators) will be able to logon to the machine. Again: do NOT remove the Administrators group!
The method I described is the proper way permissions should be granted in an NT domain: "AGLP" - Accounts go into Global groups, global groups go into Local groups, Permissions are assigned to local groups. And, yes, in principle, it would work if you added the user account directly, but assigning permissions this way will pretty soon lead to an administrative nightmare.
0
 
map000Commented:
can you be more specific?
do you want that user to log on locally or from the network?
0
 
netlingerAuthor Commented:
oBdA,

Ok I followed the instructions, created the Global group on the DC
Created the Local Group on the Workstation
Removed power users, users and guests leaving only the Admin and backup operators groups
everything is done, and still my domain members can log this machine on to the network.

map000,
I wan to allow only 1 domain member to beable to logon to the network from this workstation.
0
 
netlingerAuthor Commented:
ObdA cont.,

I neglected to state that I added the user to the Global DC group and I added this Global group to the Local Group on the workstation.
0
 
oBdACommented:
Sorry for asking, but I've seen this happen before: are your domain users members of the Domain Administrators group, or is another group except Domain Admins member of the local group Administrators on this workstation?
0
 
map000Commented:
netlinger, thanks for your specification
OdbA's solution it's ok
first I thought it's about the access from the network
0
 
netlingerAuthor Commented:
I will check on that machine and see.  Some of my machines require domain users to be added to the local administrators group for some software to function correctly.  I will get back to you.

Thanks
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now