Windows 2003 AD - Can users log on to workstations after domain accounts are disabled?

Posted on 2009-07-16
Medium Priority
Last Modified: 2012-05-07
Windows 2003 AD; we need to disable domain user accounts but still allow users to log on to their workstations to access non-AD resources.

Can this be done without visiting each workstation?

Workstation OS is Windows XP Professional and are domain members.
Users do not have local admin rights or local workstation user accounts.
Question by:gdkruger
LVL 26

Accepted Solution

MidnightOne earned 500 total points
ID: 24872709
Once a user account is disabled in AD, the user can no longer use that account to logon. They would need local workstation accounts, and those would give no access to AD resources such as file shares and printers.

Expert Comment

ID: 24872772
XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources.
LVL 16

Assisted Solution

ThinkPaper earned 500 total points
ID: 24873177
how many workstations are you looking at? you should be able to create local logon accounts for the machines in AD. Are the local accounts going to be the same for each machine (or is it all unique)? If its a standard local account, you could create a vbscript to create a local accounts for the machines.

>>"XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources."

you will need to verify that your (local or group) security policies are enabled for cached logons - also I don't know if that will necessarily work - especially if the machine is connected on the network, it will attempt to verify credentials via AD so I believe it would still deny the user access if the account has been disabled. That may work if the machine is not on the network altogether though...
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 500 total points
ID: 24874144
When users are disabled, they will be prevented from logging on to any computer in the domain.

If you don't want the users to access network resources like file and print servers, configure permissions of the resources so the prevented users don't have access to the resources.

Assisted Solution

SeeMeShakinMyHead earned 500 total points
ID: 24878346
This is what I would do:

1.  Create a security group and call it whatever you would like
2.  Add this security group to the Local Users Group on each workstation.  This can be accomplished with Group Policy or manual intervention.
3.  Add these users to this group
4.  Remove these users from all other groups (domain users, etc...)
5.  If you want to restrict what computers they can log on to, then specify these computers in the user's properties under the "Account" tab and click on "Logon To".
-- These users should now be able to logon to workstations (or only the one's you specify), but will not have access to any other AD objects.
LVL 26

Expert Comment

ID: 25008207
OP never gave any feedback on any of the suggestions nor answered questions.
LVL 31

Expert Comment

by:Henrik Johansson
ID: 25064290
Disabled users will be prevented from logging on to any machine in domain. Either replace domain users with local users on the workstations or redesign the security of network resources to prevent restricted users from accessing the resources, but users still nead to be enabled to be able to log on.

Suggest split http:#24872709 http:#24874144 http:#24878346 http:#24873177

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question