Solved

locking an account to a computer

Posted on 2009-07-15
10
239 Views
Last Modified: 2013-11-05
Hi guys

im not sure if im in the correct section but here we go.

where i work, we are installing 2 computers in the canteen, so people can STRICTLY browse the web and use microsoft office.  i've created a new OU and created a couple of accounts for these new computers so our proxy policy can be more strict on what users can access.  I started to create the group policy when something hit me.  the user could just log off the new account, and use their account and it will be just as open as before.

what im asking is, is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?

i did think about disableing logging off, but if the computer needs some admin-ing, that would work

we are using Windows Server 2003 and Windows XP

there must be a way, surely.

hope someone can help/advise (and sorry the explanation started to sound like a story a bit

kind regards,

jack lindsay
0
Comment
Question by:jack-lindsay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 9

Accepted Solution

by:
SCCMCanuck earned 175 total points
ID: 24860889
Hey Jack,

Give the following a try:

1. Create a Group Policy in the domain.
2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
3. Edit "Allow log on locally" to contain the groups/users you want to be able to log on.
4 Close the GP, and apply it to an OU containing the computers you want to secure.

Let me know how you make out :)
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 75 total points
ID: 24861140
Actually all you have to do is in ADUC go to the users "Account" tab and click "Log on to"
 
Then add the computers that these accounts can only log on to.

logonto.bmp
0
 
LVL 9

Assisted Solution

by:SCCMCanuck
SCCMCanuck earned 175 total points
ID: 24861213
Hey dstewartjr:

I was considering that as a possible solution, however i don't understand how that would restrict others from logging into the machine as you are not creating a deny list. My understanding is by setting the GPO setting its actually acting as an overide, denying authenticated user from loggin in and only allowing those in the list.

Does the "log onto" option do this same thing? If it does then that's awesome it will make this easier for myself to configure in the future as i have been using the GPO method.

Thanks
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24861672
Looks like I only answered this part . " is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?"
I believe you will also need to define these settings as well
 
 Enable the following settings:
Deny logon locally - Define but no entries.
Deny logon through Terminal Services - Define but no entries
 


0
 
LVL 41

Expert Comment

by:graye
ID: 24862360
I think the easiest way would be to create a Security Group that contained only the accounts that you do NOT want to be able to log into those PCs.   This might be tricky as nested groups might end up including admin accounts,etc
Then you'd use the Deny Logon Local feature with that group.
0
 

Author Comment

by:jack-lindsay
ID: 24863325
thanks for all the replies,  i'll try this out when im back at the office, and i'll let you know which way works.  

thanks again

jack
0
 

Author Comment

by:jack-lindsay
ID: 24867647
hi guys,

right then.

i've done the bit with the ADUC accounts.
where im having problems is denying other accounts to log on.

here's what i've done.
in the User Rights Mangagement:
set Allow local logon - admin account
allow log on through TS - domain admins only

deny local logon - domain\test1 (a test group i made in another OU)
deny logon as service - domain\test1
deny logon through terminal services - domain\test1

but i can still log on to the machine the the "test" account.  i've done countless restarts.  am i missing something here, but i would have thought with all those settings configured, at least the test account wouldn't log in.

please advise

regards

jack
0
 
LVL 41

Expert Comment

by:graye
ID: 24868423
Hummm... that should ahve done it.
I'd recommend that  you check everything again... particularly the contents of you test1 group
0
 

Author Comment

by:jack-lindsay
ID: 24868612
i think i've sussed it out.

these computers are wireless, so they wasn't pulling down the computer configuration before the interactive logon bit.  i had to physically connect it and now it works.  bit of a pain, but ohwell.

if you know a way i can set it to pull down that part of the GP before the interactive log on, that would be very helpful, otherwise i will just have to leave it as it is.  it still works as a want it to.  just if i have to change anything on the computer config, i have to hardwire it to pull the update down


thanks for all your help

regards

jack
0
 
LVL 9

Expert Comment

by:SCCMCanuck
ID: 24873485
Hey Jack you could try configuring the following:

Computer Config -> Admin Templates -> System -> Group Policy -> User Group Policy Loopback Processing Mode.

Set it to enabled and merge.

Run a gpupdate /force and restart the computers in question. This should force the computer based policy to execute on user logon.
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question