Solved

Windows 2003 AD - Can users log on to workstations after domain accounts are disabled?

Posted on 2009-07-16
10
219 Views
Last Modified: 2012-05-07
Windows 2003 AD; we need to disable domain user accounts but still allow users to log on to their workstations to access non-AD resources.

Can this be done without visiting each workstation?

Workstation OS is Windows XP Professional and are domain members.
Users do not have local admin rights or local workstation user accounts.
0
Comment
Question by:gdkruger
10 Comments
 
LVL 26

Accepted Solution

by:
MidnightOne earned 125 total points
ID: 24872709
Once a user account is disabled in AD, the user can no longer use that account to logon. They would need local workstation accounts, and those would give no access to AD resources such as file shares and printers.
0
 
LVL 3

Expert Comment

by:tallafornia
ID: 24872772
XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources.
0
 
LVL 16

Assisted Solution

by:ThinkPaper
ThinkPaper earned 125 total points
ID: 24873177
how many workstations are you looking at? you should be able to create local logon accounts for the machines in AD. Are the local accounts going to be the same for each machine (or is it all unique)? If its a standard local account, you could create a vbscript to create a local accounts for the machines.

>>"XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources."

you will need to verify that your (local or group) security policies are enabled for cached logons - also I don't know if that will necessarily work - especially if the machine is connected on the network, it will attempt to verify credentials via AD so I believe it would still deny the user access if the account has been disabled. That may work if the machine is not on the network altogether though...
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 125 total points
ID: 24874144
When users are disabled, they will be prevented from logging on to any computer in the domain.

If you don't want the users to access network resources like file and print servers, configure permissions of the resources so the prevented users don't have access to the resources.
0
 
LVL 8

Assisted Solution

by:SeeMeShakinMyHead
SeeMeShakinMyHead earned 125 total points
ID: 24878346
This is what I would do:

1.  Create a security group and call it whatever you would like
2.  Add this security group to the Local Users Group on each workstation.  This can be accomplished with Group Policy or manual intervention.
3.  Add these users to this group
4.  Remove these users from all other groups (domain users, etc...)
5.  If you want to restrict what computers they can log on to, then specify these computers in the user's properties under the "Account" tab and click on "Logon To".
-- These users should now be able to logon to workstations (or only the one's you specify), but will not have access to any other AD objects.
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 25008207
OP never gave any feedback on any of the suggestions nor answered questions.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 25064290
Disabled users will be prevented from logging on to any machine in domain. Either replace domain users with local users on the workstations or redesign the security of network resources to prevent restricted users from accessing the resources, but users still nead to be enabled to be able to log on.

Suggest split http:#24872709 http:#24874144 http:#24878346 http:#24873177
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
active directory 3 20
Need to Modify a Script I found 5 77
cannot unmapped a network drive 10 51
GPO Delegation 4 16
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now