Solved

locking an account to a computer

Posted on 2009-07-15
10
233 Views
Last Modified: 2013-11-05
Hi guys

im not sure if im in the correct section but here we go.

where i work, we are installing 2 computers in the canteen, so people can STRICTLY browse the web and use microsoft office.  i've created a new OU and created a couple of accounts for these new computers so our proxy policy can be more strict on what users can access.  I started to create the group policy when something hit me.  the user could just log off the new account, and use their account and it will be just as open as before.

what im asking is, is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?

i did think about disableing logging off, but if the computer needs some admin-ing, that would work

we are using Windows Server 2003 and Windows XP

there must be a way, surely.

hope someone can help/advise (and sorry the explanation started to sound like a story a bit

kind regards,

jack lindsay
0
Comment
Question by:jack-lindsay
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 7

Accepted Solution

by:
Christopher Nienaber earned 175 total points
ID: 24860889
Hey Jack,

Give the following a try:

1. Create a Group Policy in the domain.
2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
3. Edit "Allow log on locally" to contain the groups/users you want to be able to log on.
4 Close the GP, and apply it to an OU containing the computers you want to secure.

Let me know how you make out :)
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 75 total points
ID: 24861140
Actually all you have to do is in ADUC go to the users "Account" tab and click "Log on to"
 
Then add the computers that these accounts can only log on to.

logonto.bmp
0
 
LVL 7

Assisted Solution

by:Christopher Nienaber
Christopher Nienaber earned 175 total points
ID: 24861213
Hey dstewartjr:

I was considering that as a possible solution, however i don't understand how that would restrict others from logging into the machine as you are not creating a deny list. My understanding is by setting the GPO setting its actually acting as an overide, denying authenticated user from loggin in and only allowing those in the list.

Does the "log onto" option do this same thing? If it does then that's awesome it will make this easier for myself to configure in the future as i have been using the GPO method.

Thanks
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24861672
Looks like I only answered this part . " is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?"
I believe you will also need to define these settings as well
 
 Enable the following settings:
Deny logon locally - Define but no entries.
Deny logon through Terminal Services - Define but no entries
 


0
 
LVL 41

Expert Comment

by:graye
ID: 24862360
I think the easiest way would be to create a Security Group that contained only the accounts that you do NOT want to be able to log into those PCs.   This might be tricky as nested groups might end up including admin accounts,etc
Then you'd use the Deny Logon Local feature with that group.
0
 

Author Comment

by:jack-lindsay
ID: 24863325
thanks for all the replies,  i'll try this out when im back at the office, and i'll let you know which way works.  

thanks again

jack
0
 

Author Comment

by:jack-lindsay
ID: 24867647
hi guys,

right then.

i've done the bit with the ADUC accounts.
where im having problems is denying other accounts to log on.

here's what i've done.
in the User Rights Mangagement:
set Allow local logon - admin account
allow log on through TS - domain admins only

deny local logon - domain\test1 (a test group i made in another OU)
deny logon as service - domain\test1
deny logon through terminal services - domain\test1

but i can still log on to the machine the the "test" account.  i've done countless restarts.  am i missing something here, but i would have thought with all those settings configured, at least the test account wouldn't log in.

please advise

regards

jack
0
 
LVL 41

Expert Comment

by:graye
ID: 24868423
Hummm... that should ahve done it.
I'd recommend that  you check everything again... particularly the contents of you test1 group
0
 

Author Comment

by:jack-lindsay
ID: 24868612
i think i've sussed it out.

these computers are wireless, so they wasn't pulling down the computer configuration before the interactive logon bit.  i had to physically connect it and now it works.  bit of a pain, but ohwell.

if you know a way i can set it to pull down that part of the GP before the interactive log on, that would be very helpful, otherwise i will just have to leave it as it is.  it still works as a want it to.  just if i have to change anything on the computer config, i have to hardwire it to pull the update down


thanks for all your help

regards

jack
0
 
LVL 7

Expert Comment

by:Christopher Nienaber
ID: 24873485
Hey Jack you could try configuring the following:

Computer Config -> Admin Templates -> System -> Group Policy -> User Group Policy Loopback Processing Mode.

Set it to enabled and merge.

Run a gpupdate /force and restart the computers in question. This should force the computer based policy to execute on user logon.
0

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now