Windows 2003 AD - Can users log on to workstations after domain accounts are disabled?

Windows 2003 AD; we need to disable domain user accounts but still allow users to log on to their workstations to access non-AD resources.

Can this be done without visiting each workstation?

Workstation OS is Windows XP Professional and are domain members.
Users do not have local admin rights or local workstation user accounts.
gdkrugerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MidnightOneCommented:
Once a user account is disabled in AD, the user can no longer use that account to logon. They would need local workstation accounts, and those would give no access to AD resources such as file shares and printers.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tallaforniaCommented:
XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources.
0
ThinkPaperIT ConsultantCommented:
how many workstations are you looking at? you should be able to create local logon accounts for the machines in AD. Are the local accounts going to be the same for each machine (or is it all unique)? If its a standard local account, you could create a vbscript to create a local accounts for the machines.

>>"XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources."

you will need to verify that your (local or group) security policies are enabled for cached logons - also I don't know if that will necessarily work - especially if the machine is connected on the network, it will attempt to verify credentials via AD so I believe it would still deny the user access if the account has been disabled. That may work if the machine is not on the network altogether though...
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Henrik JohanssonSystems engineerCommented:
When users are disabled, they will be prevented from logging on to any computer in the domain.

If you don't want the users to access network resources like file and print servers, configure permissions of the resources so the prevented users don't have access to the resources.
0
SeeMeShakinMyHeadCommented:
This is what I would do:

1.  Create a security group and call it whatever you would like
2.  Add this security group to the Local Users Group on each workstation.  This can be accomplished with Group Policy or manual intervention.
3.  Add these users to this group
4.  Remove these users from all other groups (domain users, etc...)
5.  If you want to restrict what computers they can log on to, then specify these computers in the user's properties under the "Account" tab and click on "Logon To".
-- These users should now be able to logon to workstations (or only the one's you specify), but will not have access to any other AD objects.
0
MidnightOneCommented:
OP never gave any feedback on any of the suggestions nor answered questions.
0
Henrik JohanssonSystems engineerCommented:
Disabled users will be prevented from logging on to any machine in domain. Either replace domain users with local users on the workstations or redesign the security of network resources to prevent restricted users from accessing the resources, but users still nead to be enabled to be able to log on.

Suggest split http:#24872709 http:#24874144 http:#24878346 http:#24873177
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.