• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 191
  • Last Modified:

group logins going away

We are a site of 1400+ users where most have a domain login for themselves.  There are a few computers that have group logins on our domain.  Needless to say, this is not ideal.  I would like to have a list of varying methods of blocking the group login one by one so that I can choose the method that best seems to suit our needs.
0
tedpenner
Asked:
tedpenner
  • 2
  • 2
  • 2
1 Solution
 
prashsaxCommented:
What do you mean by group logins.

Do you means that a group of people login to computer using same userid.

0
 
tedpennerAuthor Commented:
Yes, that is what I mean.
0
 
sgtsarinCommented:
tedpenner,

Please correct me if I'm wrong, but I believe you've got some 'shared logon accounts' that are being used on multiple PCs on your network, and you would like to slowly deny the use of these shared accounts in different departments/sections of the network.  Please let me know if I do not understand that correctly.

If you access the particular 'shared logon account' in Active Directory Users and Computers, you can restrict the logon to specific PCs (via host name).  This may not be ideal because in order to slowly ratchet down on which PC's can use this account, you would first need to populate that list with all the PC's that currently use the account - Unfortunately you can only specify 8 individual PC's for each user account, which probably isn't sufficient for your 1400 pc network.

If you have a need to block the logon to more than 8pcs, then (in a roundabout and overly complicated way) you can create a security group, add the list of PC's to that security group - add that security group to an OU, create a GPO that prevents the shared account(s) from logging on to PC's in that group/ou, and then apply that GPO, to that OU.

1) Create a security group (we'll call it GroupLogon_Restrict_group)
2) Create a GPO (we'll call it GroupLogon_Restrict_OU)
3) Create a GPO (GroupLogon_Restrict_GPO) by opening the Group Policy Management console, select Group Policy Objects, and right click to select "new".  
4) From the GPMC go to: Computer Configuration -> Windows Settings -> Local Policies -> User Rights Assignment -> Deny log on locally  and add the shared logon account(s) to the list.
5) Apply this new GPO to the OU you created (GroupLogon_Restrict_OU)
6) For the PC's you want to disallow use with the shared logon account, add them to the security group you created (GroupLogon_Restrict_Group)
7) From the server, remember to enter GPEDIT /FORCE from the command line.

The changes won't take effect until all the PC's reboot - and if you want to force it quickly, you'll want to assign a logon script that runs the "GPEDIT /FORCE" command at boot time for all the PC's on the network you want to effect.

Lastly - as always with GPO's - test it on one or two pc's that you're not worried about before deploying it to the entire network.

0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
tedpennerAuthor Commented:
Yeah, your assessment is correct.  This method however, won't work due to the company policy restrictions in creating OUs and Group Policy.  Can't I just go to each machine and tell Windows, don't allow logins for "specified_domain_login" individually?
0
 
sgtsarinCommented:
You could do that yes - it would involve similar steps however.  You would be essentially editing the local security policy, rather than a domain wide policy.  

1)Logon to the PC as a local administrator (this may also work as a domain admin)
2)From within Administrative Tools, open 'Local Security Policy'
3)Expand 'Local Policies' --> 'User Rigths Assignment' --> 'Deny log on locally' and add the desired groups/user accounts to deny local access to.

You'll want to test this a bit because the setting could become overridden by Domain GPO's of course.

0
 
prashsaxCommented:
Ok, one more way to doing this.

Locate the group login id in the Active directory users and computer.

Open properties.

Account Tab.

Logon To Button.

Specify the name of computer where this login id is allowed to login.

Now, this userid can be used on only one pc whose name is defined in the logon to section.

No need to goto each and every pc and deny the id.

Instead allow it on only one or two machine and by default deny on all without using GP or OU.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now