Solved

locking an account to a computer

Posted on 2009-07-15
10
234 Views
Last Modified: 2013-11-05
Hi guys

im not sure if im in the correct section but here we go.

where i work, we are installing 2 computers in the canteen, so people can STRICTLY browse the web and use microsoft office.  i've created a new OU and created a couple of accounts for these new computers so our proxy policy can be more strict on what users can access.  I started to create the group policy when something hit me.  the user could just log off the new account, and use their account and it will be just as open as before.

what im asking is, is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?

i did think about disableing logging off, but if the computer needs some admin-ing, that would work

we are using Windows Server 2003 and Windows XP

there must be a way, surely.

hope someone can help/advise (and sorry the explanation started to sound like a story a bit

kind regards,

jack lindsay
0
Comment
Question by:jack-lindsay
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 7

Accepted Solution

by:
Christopher Nienaber earned 175 total points
ID: 24860889
Hey Jack,

Give the following a try:

1. Create a Group Policy in the domain.
2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
3. Edit "Allow log on locally" to contain the groups/users you want to be able to log on.
4 Close the GP, and apply it to an OU containing the computers you want to secure.

Let me know how you make out :)
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 75 total points
ID: 24861140
Actually all you have to do is in ADUC go to the users "Account" tab and click "Log on to"
 
Then add the computers that these accounts can only log on to.

logonto.bmp
0
 
LVL 7

Assisted Solution

by:Christopher Nienaber
Christopher Nienaber earned 175 total points
ID: 24861213
Hey dstewartjr:

I was considering that as a possible solution, however i don't understand how that would restrict others from logging into the machine as you are not creating a deny list. My understanding is by setting the GPO setting its actually acting as an overide, denying authenticated user from loggin in and only allowing those in the list.

Does the "log onto" option do this same thing? If it does then that's awesome it will make this easier for myself to configure in the future as i have been using the GPO method.

Thanks
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24861672
Looks like I only answered this part . " is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?"
I believe you will also need to define these settings as well
 
 Enable the following settings:
Deny logon locally - Define but no entries.
Deny logon through Terminal Services - Define but no entries
 


0
 
LVL 41

Expert Comment

by:graye
ID: 24862360
I think the easiest way would be to create a Security Group that contained only the accounts that you do NOT want to be able to log into those PCs.   This might be tricky as nested groups might end up including admin accounts,etc
Then you'd use the Deny Logon Local feature with that group.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:jack-lindsay
ID: 24863325
thanks for all the replies,  i'll try this out when im back at the office, and i'll let you know which way works.  

thanks again

jack
0
 

Author Comment

by:jack-lindsay
ID: 24867647
hi guys,

right then.

i've done the bit with the ADUC accounts.
where im having problems is denying other accounts to log on.

here's what i've done.
in the User Rights Mangagement:
set Allow local logon - admin account
allow log on through TS - domain admins only

deny local logon - domain\test1 (a test group i made in another OU)
deny logon as service - domain\test1
deny logon through terminal services - domain\test1

but i can still log on to the machine the the "test" account.  i've done countless restarts.  am i missing something here, but i would have thought with all those settings configured, at least the test account wouldn't log in.

please advise

regards

jack
0
 
LVL 41

Expert Comment

by:graye
ID: 24868423
Hummm... that should ahve done it.
I'd recommend that  you check everything again... particularly the contents of you test1 group
0
 

Author Comment

by:jack-lindsay
ID: 24868612
i think i've sussed it out.

these computers are wireless, so they wasn't pulling down the computer configuration before the interactive logon bit.  i had to physically connect it and now it works.  bit of a pain, but ohwell.

if you know a way i can set it to pull down that part of the GP before the interactive log on, that would be very helpful, otherwise i will just have to leave it as it is.  it still works as a want it to.  just if i have to change anything on the computer config, i have to hardwire it to pull the update down


thanks for all your help

regards

jack
0
 
LVL 7

Expert Comment

by:Christopher Nienaber
ID: 24873485
Hey Jack you could try configuring the following:

Computer Config -> Admin Templates -> System -> Group Policy -> User Group Policy Loopback Processing Mode.

Set it to enabled and merge.

Run a gpupdate /force and restart the computers in question. This should force the computer based policy to execute on user logon.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now