Solved

Windows 2003 AD - Can users log on to workstations after domain accounts are disabled?

Posted on 2009-07-16
10
236 Views
Last Modified: 2012-05-07
Windows 2003 AD; we need to disable domain user accounts but still allow users to log on to their workstations to access non-AD resources.

Can this be done without visiting each workstation?

Workstation OS is Windows XP Professional and are domain members.
Users do not have local admin rights or local workstation user accounts.
0
Comment
Question by:gdkruger
10 Comments
 
LVL 26

Accepted Solution

by:
MidnightOne earned 125 total points
ID: 24872709
Once a user account is disabled in AD, the user can no longer use that account to logon. They would need local workstation accounts, and those would give no access to AD resources such as file shares and printers.
0
 
LVL 3

Expert Comment

by:tallafornia
ID: 24872772
XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources.
0
 
LVL 16

Assisted Solution

by:ThinkPaper
ThinkPaper earned 125 total points
ID: 24873177
how many workstations are you looking at? you should be able to create local logon accounts for the machines in AD. Are the local accounts going to be the same for each machine (or is it all unique)? If its a standard local account, you could create a vbscript to create a local accounts for the machines.

>>"XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources."

you will need to verify that your (local or group) security policies are enabled for cached logons - also I don't know if that will necessarily work - especially if the machine is connected on the network, it will attempt to verify credentials via AD so I believe it would still deny the user access if the account has been disabled. That may work if the machine is not on the network altogether though...
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 125 total points
ID: 24874144
When users are disabled, they will be prevented from logging on to any computer in the domain.

If you don't want the users to access network resources like file and print servers, configure permissions of the resources so the prevented users don't have access to the resources.
0
 
LVL 8

Assisted Solution

by:SeeMeShakinMyHead
SeeMeShakinMyHead earned 125 total points
ID: 24878346
This is what I would do:

1.  Create a security group and call it whatever you would like
2.  Add this security group to the Local Users Group on each workstation.  This can be accomplished with Group Policy or manual intervention.
3.  Add these users to this group
4.  Remove these users from all other groups (domain users, etc...)
5.  If you want to restrict what computers they can log on to, then specify these computers in the user's properties under the "Account" tab and click on "Logon To".
-- These users should now be able to logon to workstations (or only the one's you specify), but will not have access to any other AD objects.
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 25008207
OP never gave any feedback on any of the suggestions nor answered questions.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 25064290
Disabled users will be prevented from logging on to any machine in domain. Either replace domain users with local users on the workstations or redesign the security of network resources to prevent restricted users from accessing the resources, but users still nead to be enabled to be able to log on.

Suggest split http:#24872709 http:#24874144 http:#24878346 http:#24873177
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Password Complexity 13 30
Office365 DirSync setup questions 4 33
Bind Mac To Azure AD 1 32
Active Directory Photo Tab 4 27
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question