Solved

group logins going away

Posted on 2006-06-15
6
185 Views
Last Modified: 2010-04-11
We are a site of 1400+ users where most have a domain login for themselves.  There are a few computers that have group logins on our domain.  Needless to say, this is not ideal.  I would like to have a list of varying methods of blocking the group login one by one so that I can choose the method that best seems to suit our needs.
0
Comment
Question by:tedpenner
  • 2
  • 2
  • 2
6 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 16923959
What do you mean by group logins.

Do you means that a group of people login to computer using same userid.

0
 

Author Comment

by:tedpenner
ID: 16924005
Yes, that is what I mean.
0
 

Expert Comment

by:sgtsarin
ID: 16931914
tedpenner,

Please correct me if I'm wrong, but I believe you've got some 'shared logon accounts' that are being used on multiple PCs on your network, and you would like to slowly deny the use of these shared accounts in different departments/sections of the network.  Please let me know if I do not understand that correctly.

If you access the particular 'shared logon account' in Active Directory Users and Computers, you can restrict the logon to specific PCs (via host name).  This may not be ideal because in order to slowly ratchet down on which PC's can use this account, you would first need to populate that list with all the PC's that currently use the account - Unfortunately you can only specify 8 individual PC's for each user account, which probably isn't sufficient for your 1400 pc network.

If you have a need to block the logon to more than 8pcs, then (in a roundabout and overly complicated way) you can create a security group, add the list of PC's to that security group - add that security group to an OU, create a GPO that prevents the shared account(s) from logging on to PC's in that group/ou, and then apply that GPO, to that OU.

1) Create a security group (we'll call it GroupLogon_Restrict_group)
2) Create a GPO (we'll call it GroupLogon_Restrict_OU)
3) Create a GPO (GroupLogon_Restrict_GPO) by opening the Group Policy Management console, select Group Policy Objects, and right click to select "new".  
4) From the GPMC go to: Computer Configuration -> Windows Settings -> Local Policies -> User Rights Assignment -> Deny log on locally  and add the shared logon account(s) to the list.
5) Apply this new GPO to the OU you created (GroupLogon_Restrict_OU)
6) For the PC's you want to disallow use with the shared logon account, add them to the security group you created (GroupLogon_Restrict_Group)
7) From the server, remember to enter GPEDIT /FORCE from the command line.

The changes won't take effect until all the PC's reboot - and if you want to force it quickly, you'll want to assign a logon script that runs the "GPEDIT /FORCE" command at boot time for all the PC's on the network you want to effect.

Lastly - as always with GPO's - test it on one or two pc's that you're not worried about before deploying it to the entire network.

0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:tedpenner
ID: 16934258
Yeah, your assessment is correct.  This method however, won't work due to the company policy restrictions in creating OUs and Group Policy.  Can't I just go to each machine and tell Windows, don't allow logins for "specified_domain_login" individually?
0
 

Expert Comment

by:sgtsarin
ID: 16934501
You could do that yes - it would involve similar steps however.  You would be essentially editing the local security policy, rather than a domain wide policy.  

1)Logon to the PC as a local administrator (this may also work as a domain admin)
2)From within Administrative Tools, open 'Local Security Policy'
3)Expand 'Local Policies' --> 'User Rigths Assignment' --> 'Deny log on locally' and add the desired groups/user accounts to deny local access to.

You'll want to test this a bit because the setting could become overridden by Domain GPO's of course.

0
 
LVL 13

Accepted Solution

by:
prashsax earned 500 total points
ID: 16938032
Ok, one more way to doing this.

Locate the group login id in the Active directory users and computer.

Open properties.

Account Tab.

Logon To Button.

Specify the name of computer where this login id is allowed to login.

Now, this userid can be used on only one pc whose name is defined in the logon to section.

No need to goto each and every pc and deny the id.

Instead allow it on only one or two machine and by default deny on all without using GP or OU.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question