?
Solved

Windows 2003 AD - Can users log on to workstations after domain accounts are disabled?

Posted on 2009-07-16
10
Medium Priority
?
259 Views
Last Modified: 2012-05-07
Windows 2003 AD; we need to disable domain user accounts but still allow users to log on to their workstations to access non-AD resources.

Can this be done without visiting each workstation?

Workstation OS is Windows XP Professional and are domain members.
Users do not have local admin rights or local workstation user accounts.
0
Comment
Question by:gdkruger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 26

Accepted Solution

by:
MidnightOne earned 500 total points
ID: 24872709
Once a user account is disabled in AD, the user can no longer use that account to logon. They would need local workstation accounts, and those would give no access to AD resources such as file shares and printers.
0
 
LVL 3

Expert Comment

by:tallafornia
ID: 24872772
XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources.
0
 
LVL 16

Assisted Solution

by:ThinkPaper
ThinkPaper earned 500 total points
ID: 24873177
how many workstations are you looking at? you should be able to create local logon accounts for the machines in AD. Are the local accounts going to be the same for each machine (or is it all unique)? If its a standard local account, you could create a vbscript to create a local accounts for the machines.

>>"XP caches the domain logon details locally and should allow users logon to the PC but not allow access to the AD domain resources."

you will need to verify that your (local or group) security policies are enabled for cached logons - also I don't know if that will necessarily work - especially if the machine is connected on the network, it will attempt to verify credentials via AD so I believe it would still deny the user access if the account has been disabled. That may work if the machine is not on the network altogether though...
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 500 total points
ID: 24874144
When users are disabled, they will be prevented from logging on to any computer in the domain.

If you don't want the users to access network resources like file and print servers, configure permissions of the resources so the prevented users don't have access to the resources.
0
 
LVL 8

Assisted Solution

by:SeeMeShakinMyHead
SeeMeShakinMyHead earned 500 total points
ID: 24878346
This is what I would do:

1.  Create a security group and call it whatever you would like
2.  Add this security group to the Local Users Group on each workstation.  This can be accomplished with Group Policy or manual intervention.
3.  Add these users to this group
4.  Remove these users from all other groups (domain users, etc...)
5.  If you want to restrict what computers they can log on to, then specify these computers in the user's properties under the "Account" tab and click on "Logon To".
-- These users should now be able to logon to workstations (or only the one's you specify), but will not have access to any other AD objects.
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 25008207
OP never gave any feedback on any of the suggestions nor answered questions.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 25064290
Disabled users will be prevented from logging on to any machine in domain. Either replace domain users with local users on the workstations or redesign the security of network resources to prevent restricted users from accessing the resources, but users still nead to be enabled to be able to log on.

Suggest split http:#24872709 http:#24874144 http:#24878346 http:#24873177
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Serverā€¦
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlleā€¦
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month10 days, 23 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question