Solved

group logins going away

Posted on 2006-06-15
6
187 Views
Last Modified: 2010-04-11
We are a site of 1400+ users where most have a domain login for themselves.  There are a few computers that have group logins on our domain.  Needless to say, this is not ideal.  I would like to have a list of varying methods of blocking the group login one by one so that I can choose the method that best seems to suit our needs.
0
Comment
Question by:tedpenner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 16923959
What do you mean by group logins.

Do you means that a group of people login to computer using same userid.

0
 

Author Comment

by:tedpenner
ID: 16924005
Yes, that is what I mean.
0
 

Expert Comment

by:sgtsarin
ID: 16931914
tedpenner,

Please correct me if I'm wrong, but I believe you've got some 'shared logon accounts' that are being used on multiple PCs on your network, and you would like to slowly deny the use of these shared accounts in different departments/sections of the network.  Please let me know if I do not understand that correctly.

If you access the particular 'shared logon account' in Active Directory Users and Computers, you can restrict the logon to specific PCs (via host name).  This may not be ideal because in order to slowly ratchet down on which PC's can use this account, you would first need to populate that list with all the PC's that currently use the account - Unfortunately you can only specify 8 individual PC's for each user account, which probably isn't sufficient for your 1400 pc network.

If you have a need to block the logon to more than 8pcs, then (in a roundabout and overly complicated way) you can create a security group, add the list of PC's to that security group - add that security group to an OU, create a GPO that prevents the shared account(s) from logging on to PC's in that group/ou, and then apply that GPO, to that OU.

1) Create a security group (we'll call it GroupLogon_Restrict_group)
2) Create a GPO (we'll call it GroupLogon_Restrict_OU)
3) Create a GPO (GroupLogon_Restrict_GPO) by opening the Group Policy Management console, select Group Policy Objects, and right click to select "new".  
4) From the GPMC go to: Computer Configuration -> Windows Settings -> Local Policies -> User Rights Assignment -> Deny log on locally  and add the shared logon account(s) to the list.
5) Apply this new GPO to the OU you created (GroupLogon_Restrict_OU)
6) For the PC's you want to disallow use with the shared logon account, add them to the security group you created (GroupLogon_Restrict_Group)
7) From the server, remember to enter GPEDIT /FORCE from the command line.

The changes won't take effect until all the PC's reboot - and if you want to force it quickly, you'll want to assign a logon script that runs the "GPEDIT /FORCE" command at boot time for all the PC's on the network you want to effect.

Lastly - as always with GPO's - test it on one or two pc's that you're not worried about before deploying it to the entire network.

0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:tedpenner
ID: 16934258
Yeah, your assessment is correct.  This method however, won't work due to the company policy restrictions in creating OUs and Group Policy.  Can't I just go to each machine and tell Windows, don't allow logins for "specified_domain_login" individually?
0
 

Expert Comment

by:sgtsarin
ID: 16934501
You could do that yes - it would involve similar steps however.  You would be essentially editing the local security policy, rather than a domain wide policy.  

1)Logon to the PC as a local administrator (this may also work as a domain admin)
2)From within Administrative Tools, open 'Local Security Policy'
3)Expand 'Local Policies' --> 'User Rigths Assignment' --> 'Deny log on locally' and add the desired groups/user accounts to deny local access to.

You'll want to test this a bit because the setting could become overridden by Domain GPO's of course.

0
 
LVL 13

Accepted Solution

by:
prashsax earned 500 total points
ID: 16938032
Ok, one more way to doing this.

Locate the group login id in the Active directory users and computer.

Open properties.

Account Tab.

Logon To Button.

Specify the name of computer where this login id is allowed to login.

Now, this userid can be used on only one pc whose name is defined in the logon to section.

No need to goto each and every pc and deny the id.

Instead allow it on only one or two machine and by default deny on all without using GP or OU.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OnPage: Incident management and secure messaging on your smartphone
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question