Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Restricted access on a windows 2000 domain

Posted on 2004-10-27
11
Medium Priority
?
248 Views
Last Modified: 2013-12-04
I have a workstation in a high traffic area, and would like to restrict access to this workstation to a single user on the domain.  How would I go about doing this?
0
Comment
Question by:netlinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 12431367
In your domain, create a new global security group, for example "G-LocalLogon". Make the user(s) in question member of this group.
On the machine in question, create a new group, for example "L-LocalLogon". Add the global group you created to this local group.
Go to Administrative Tools, start Local Security Policy.
Go to Local Policies\User Permissions, and edit the "Local Logon" policy: remove the User, Guest, and Powr Users accounts (but leave the Administrators and Backup Operators!), and add the "L-LocalLogon" group instead.
This allows you easy administration; if another user needs access to this workstation, you can simply add him to the global security group.
0
 
LVL 5

Expert Comment

by:map000
ID: 12431621
or you can add a filter using Ipsec (if it's a win 2k/2k3 workstation)
0
 

Author Comment

by:netlinger
ID: 12449134
oBdA,

If I understand your answer this is a solution to allow a domain member to logon locally to a workstation, I need the person to be able to logon to the domain, and restrict it to just that user.  The workstation is a receptionist desk where everyone comes in at our church, Im tring to prevent things like one of the other pastors from logon on with there logon and letting their kids play games on that machine... and other misuses of this workstation.

I figured if I could limit the domain logon to just the receptionist and block or deny all others I would have achieved my goal.  Currently no one in our organization except the sys admin can logon locally to a machine.

thank you.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:netlinger
ID: 12449140
map000,

could you tell me more about this IPsec filter?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 12449507
Nope, this solution prevents users other than administrators and members of the (domain group!) G_LocalLogon group to logon to the machine in question.
Local Logon is a privilege any user logging on to any machine must have. On workstations, this permission is granted by default to the local group "Users" (among others). When the machine is joined to a domain, the global group "Domain Users" is automatically added to the local group "Users", and that gives a domain user the right to logon to the machine using the domain account.
Remove the Users group from the Local Logon permissions, and no domain user (except Administrators) will be able to logon to the machine. Again: do NOT remove the Administrators group!
The method I described is the proper way permissions should be granted in an NT domain: "AGLP" - Accounts go into Global groups, global groups go into Local groups, Permissions are assigned to local groups. And, yes, in principle, it would work if you added the user account directly, but assigning permissions this way will pretty soon lead to an administrative nightmare.
0
 
LVL 5

Expert Comment

by:map000
ID: 12461377
can you be more specific?
do you want that user to log on locally or from the network?
0
 

Author Comment

by:netlinger
ID: 12476092
oBdA,

Ok I followed the instructions, created the Global group on the DC
Created the Local Group on the Workstation
Removed power users, users and guests leaving only the Admin and backup operators groups
everything is done, and still my domain members can log this machine on to the network.

map000,
I wan to allow only 1 domain member to beable to logon to the network from this workstation.
0
 

Author Comment

by:netlinger
ID: 12476358
ObdA cont.,

I neglected to state that I added the user to the Global DC group and I added this Global group to the Local Group on the workstation.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 12476398
Sorry for asking, but I've seen this happen before: are your domain users members of the Domain Administrators group, or is another group except Domain Admins member of the local group Administrators on this workstation?
0
 
LVL 5

Expert Comment

by:map000
ID: 12484169
netlinger, thanks for your specification
OdbA's solution it's ok
first I thought it's about the access from the network
0
 

Author Comment

by:netlinger
ID: 12574776
I will check on that machine and see.  Some of my machines require domain users to be added to the local administrators group for some software to function correctly.  I will get back to you.

Thanks
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question