Solved

group logins going away

Posted on 2006-06-15
6
184 Views
Last Modified: 2010-04-11
We are a site of 1400+ users where most have a domain login for themselves.  There are a few computers that have group logins on our domain.  Needless to say, this is not ideal.  I would like to have a list of varying methods of blocking the group login one by one so that I can choose the method that best seems to suit our needs.
0
Comment
Question by:tedpenner
  • 2
  • 2
  • 2
6 Comments
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
What do you mean by group logins.

Do you means that a group of people login to computer using same userid.

0
 

Author Comment

by:tedpenner
Comment Utility
Yes, that is what I mean.
0
 

Expert Comment

by:sgtsarin
Comment Utility
tedpenner,

Please correct me if I'm wrong, but I believe you've got some 'shared logon accounts' that are being used on multiple PCs on your network, and you would like to slowly deny the use of these shared accounts in different departments/sections of the network.  Please let me know if I do not understand that correctly.

If you access the particular 'shared logon account' in Active Directory Users and Computers, you can restrict the logon to specific PCs (via host name).  This may not be ideal because in order to slowly ratchet down on which PC's can use this account, you would first need to populate that list with all the PC's that currently use the account - Unfortunately you can only specify 8 individual PC's for each user account, which probably isn't sufficient for your 1400 pc network.

If you have a need to block the logon to more than 8pcs, then (in a roundabout and overly complicated way) you can create a security group, add the list of PC's to that security group - add that security group to an OU, create a GPO that prevents the shared account(s) from logging on to PC's in that group/ou, and then apply that GPO, to that OU.

1) Create a security group (we'll call it GroupLogon_Restrict_group)
2) Create a GPO (we'll call it GroupLogon_Restrict_OU)
3) Create a GPO (GroupLogon_Restrict_GPO) by opening the Group Policy Management console, select Group Policy Objects, and right click to select "new".  
4) From the GPMC go to: Computer Configuration -> Windows Settings -> Local Policies -> User Rights Assignment -> Deny log on locally  and add the shared logon account(s) to the list.
5) Apply this new GPO to the OU you created (GroupLogon_Restrict_OU)
6) For the PC's you want to disallow use with the shared logon account, add them to the security group you created (GroupLogon_Restrict_Group)
7) From the server, remember to enter GPEDIT /FORCE from the command line.

The changes won't take effect until all the PC's reboot - and if you want to force it quickly, you'll want to assign a logon script that runs the "GPEDIT /FORCE" command at boot time for all the PC's on the network you want to effect.

Lastly - as always with GPO's - test it on one or two pc's that you're not worried about before deploying it to the entire network.

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:tedpenner
Comment Utility
Yeah, your assessment is correct.  This method however, won't work due to the company policy restrictions in creating OUs and Group Policy.  Can't I just go to each machine and tell Windows, don't allow logins for "specified_domain_login" individually?
0
 

Expert Comment

by:sgtsarin
Comment Utility
You could do that yes - it would involve similar steps however.  You would be essentially editing the local security policy, rather than a domain wide policy.  

1)Logon to the PC as a local administrator (this may also work as a domain admin)
2)From within Administrative Tools, open 'Local Security Policy'
3)Expand 'Local Policies' --> 'User Rigths Assignment' --> 'Deny log on locally' and add the desired groups/user accounts to deny local access to.

You'll want to test this a bit because the setting could become overridden by Domain GPO's of course.

0
 
LVL 13

Accepted Solution

by:
prashsax earned 500 total points
Comment Utility
Ok, one more way to doing this.

Locate the group login id in the Active directory users and computer.

Open properties.

Account Tab.

Logon To Button.

Specify the name of computer where this login id is allowed to login.

Now, this userid can be used on only one pc whose name is defined in the logon to section.

No need to goto each and every pc and deny the id.

Instead allow it on only one or two machine and by default deny on all without using GP or OU.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now