Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

locking an account to a computer

Posted on 2009-07-15
10
Medium Priority
?
244 Views
Last Modified: 2013-11-05
Hi guys

im not sure if im in the correct section but here we go.

where i work, we are installing 2 computers in the canteen, so people can STRICTLY browse the web and use microsoft office.  i've created a new OU and created a couple of accounts for these new computers so our proxy policy can be more strict on what users can access.  I started to create the group policy when something hit me.  the user could just log off the new account, and use their account and it will be just as open as before.

what im asking is, is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?

i did think about disableing logging off, but if the computer needs some admin-ing, that would work

we are using Windows Server 2003 and Windows XP

there must be a way, surely.

hope someone can help/advise (and sorry the explanation started to sound like a story a bit

kind regards,

jack lindsay
0
Comment
Question by:jack-lindsay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 9

Accepted Solution

by:
SCCMCanuck earned 700 total points
ID: 24860889
Hey Jack,

Give the following a try:

1. Create a Group Policy in the domain.
2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
3. Edit "Allow log on locally" to contain the groups/users you want to be able to log on.
4 Close the GP, and apply it to an OU containing the computers you want to secure.

Let me know how you make out :)
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 300 total points
ID: 24861140
Actually all you have to do is in ADUC go to the users "Account" tab and click "Log on to"
 
Then add the computers that these accounts can only log on to.

logonto.bmp
0
 
LVL 9

Assisted Solution

by:SCCMCanuck
SCCMCanuck earned 700 total points
ID: 24861213
Hey dstewartjr:

I was considering that as a possible solution, however i don't understand how that would restrict others from logging into the machine as you are not creating a deny list. My understanding is by setting the GPO setting its actually acting as an overide, denying authenticated user from loggin in and only allowing those in the list.

Does the "log onto" option do this same thing? If it does then that's awesome it will make this easier for myself to configure in the future as i have been using the GPO method.

Thanks
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24861672
Looks like I only answered this part . " is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?"
I believe you will also need to define these settings as well
 
 Enable the following settings:
Deny logon locally - Define but no entries.
Deny logon through Terminal Services - Define but no entries
 


0
 
LVL 41

Expert Comment

by:graye
ID: 24862360
I think the easiest way would be to create a Security Group that contained only the accounts that you do NOT want to be able to log into those PCs.   This might be tricky as nested groups might end up including admin accounts,etc
Then you'd use the Deny Logon Local feature with that group.
0
 

Author Comment

by:jack-lindsay
ID: 24863325
thanks for all the replies,  i'll try this out when im back at the office, and i'll let you know which way works.  

thanks again

jack
0
 

Author Comment

by:jack-lindsay
ID: 24867647
hi guys,

right then.

i've done the bit with the ADUC accounts.
where im having problems is denying other accounts to log on.

here's what i've done.
in the User Rights Mangagement:
set Allow local logon - admin account
allow log on through TS - domain admins only

deny local logon - domain\test1 (a test group i made in another OU)
deny logon as service - domain\test1
deny logon through terminal services - domain\test1

but i can still log on to the machine the the "test" account.  i've done countless restarts.  am i missing something here, but i would have thought with all those settings configured, at least the test account wouldn't log in.

please advise

regards

jack
0
 
LVL 41

Expert Comment

by:graye
ID: 24868423
Hummm... that should ahve done it.
I'd recommend that  you check everything again... particularly the contents of you test1 group
0
 

Author Comment

by:jack-lindsay
ID: 24868612
i think i've sussed it out.

these computers are wireless, so they wasn't pulling down the computer configuration before the interactive logon bit.  i had to physically connect it and now it works.  bit of a pain, but ohwell.

if you know a way i can set it to pull down that part of the GP before the interactive log on, that would be very helpful, otherwise i will just have to leave it as it is.  it still works as a want it to.  just if i have to change anything on the computer config, i have to hardwire it to pull the update down


thanks for all your help

regards

jack
0
 
LVL 9

Expert Comment

by:SCCMCanuck
ID: 24873485
Hey Jack you could try configuring the following:

Computer Config -> Admin Templates -> System -> Group Policy -> User Group Policy Loopback Processing Mode.

Set it to enabled and merge.

Run a gpupdate /force and restart the computers in question. This should force the computer based policy to execute on user logon.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question