• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 296
  • Last Modified:

How restrict who logs on a Windows 7 Pro Workstation

How can we restrict the user who can log in to a specific workstation?

We need to set a workstation to only permit one user.  The user who we want to permit access the notebook is also the admin of the notebook.

We need to isolate even of the notebook is connected to a Domain or a LAN Workgroup, that the Administration of the Domian can't log in.

Whats the best way of doing this?
0
rayluvs
Asked:
rayluvs
  • 6
  • 5
  • 5
9 Solutions
 
chakkoCommented:
In the local users and Groups you need to remove Domain Users and Domain Admins from the groups (check all groups for completeness).
In the Administrator Group you can add their Domain User Name so that their Domain account still has administrative privileges.  

0
 
rayluvsAuthor Commented:
Hi, where exactly?
0
 
chakkoCommented:

Easiest way, right click My Computer (or start Menu-> Computer) and choose Manage
Or Start Menu -> Administrative Tools-> Computer Management.
in Left pane expand Local Users and Groups
in the Groups make the edits required.

Domain accounts will show as:   Domain\name
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Gerwin Jansen, EE MVETopic Advisor Commented:
What about your LAN workgroup remark? You are not going to remove the notebook from the domain right? If you make chakko's suggested changes and you remove the notebook from the domain then no one can logon anymore...
0
 
chakkoCommented:
In my suggestion the notebook is still a member of the Domain.

You are just removing the Domain accounts which can login to the notebook.  When a computer is Joined to a domain the domain\Domain Admins and domain\Domain Users groups are mapped into the Local Workstation Security Groups.

My suggestion just removes those default additions and replaces them his the users personal domain\IUserAccount to be the only allowed domain account able to login to the workstation.  That should be added to the local computer Administrators group.

The local workstation Administrator will still have access to the notebook - changing that password by the end user will control access - the user sets a new password.

0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
@chakko: I understand how it works :) Just a hint from me to Ramante to prevent it from happening, assuming that the local administrator account is still enabled and not renamed. Your suggestion will work fine IMHO.
0
 
rayluvsAuthor Commented:
chakko:
 
   I can't find "Domain accounts will show as:   Domain\name" (remove Domain Users and Domain
   Admins from the groups) to make the suggested changes

   Note: the notebook is not part of a Domain, but do access computers within the domain
             also, the notebook computer has a very unique Workgroup name

Hope this helps
0
 
chakkoCommented:
If it is not on the domain then you just need to really focus on the User Accounts.

To the User Accounts area, disable any accounts that you don't need (or change the password).
Any account in the Administrators Group also change.  The user should be using one of those accounts.

If the user is the only person who knows the passwords then other people should not be able to connect to that PC.  

Also, check that your drives are NTFS file system
Check if any folders are shared, if no one should access his computer then turn off the sharing.  Note:  C$ type administrative shares are normally made by the system.

If his passwords are easy to guess that is a problem.

how far does this need to go to keep people from connecting?  Is it just a concern, or is extra security really required for some reason?

some other thing to consider:
install a firewall program on that PC to further block communication (people trying to connect to it).

0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
When the notebook is not part of a domain, what's the issue then? Only local accounts can logon then. And if you want to connect to a resource in a domain, just use domain\domain_account to map a drive, connect to a printer etc. Or am I missing something?
0
 
rayluvsAuthor Commented:
gerwinjansen:

  The problem we have is that we have a notebook that is not part of any Domain.  However, when the notebook connects via LAN to a Domain (for Internet access only), the Domain administrator can log in the note via "domain\domain_account".  We don't want that.

chakko:

  Various:

    1. Included is an image of my Local Group policy.  Which option is where I disable
        any accounts that I don't need?
    2. The notebook's drives are  NTFS file system
    3. There is a shared folder (see Pics), can this be a problem?
    4. The reason for the security if for access reason, the notebook has marketing info
    5.  The notebook has a Firewall program called COMODO Firewall and it looks like its
          pretty tough and running, however, I don't know COMODO can restrict user in the actual
          notebook's Windows logon screen.


LocalUserPolicy.jpg
SharedFolders.Drives.jpg
0
 
chakkoCommented:

Are you sure the notebook is not in a DOMAIN?

if someone is connecting with Domain\Domain_account then my guess is he is connecting with a local notebook account  WORKGROUP\administrator

For that you need to change the administrator password.  If they REALLY are connecting with DOMAIN\Domain_account then you need to check that notebook out.  Connecting with Domain_account should not be possible.

To check the users (which accounts exist) go to the User which is just above the Groups as shown in the picture you posted.

0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
@chakko: agreed, when NB is not part of a domain domain accounts have no rights. The show up as SIDs in user management.

@Ramante: can you look into all local administrators group and show us what accounts are in there? Change the administrator password as well. Also, have a look in the eventlog (start: eventvwr) in category Windows Logs -> Security, sort on Task Category, goto 'Logon', have a look in the details pane for each logon entry and look at the SubjectUserName and SubjectDomainName. Do they show your domain admin user?
0
 
rayluvsAuthor Commented:
You are correct, I've checked the User accounts and no Domain user are there.

With this, that means that Admin from a Domain log into the notebook unless the notebook is part of the Domain.  Is that safe to say?
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Correct, when notebook is member of a domain (has a computer account in the domain), then domain accounts can be given rights on that notebook. When the notebook is not a member of the domain (anymore), domain accounts cannot logon. This can cause a problem once you 'forget' a local administrator's password.
0
 
rayluvsAuthor Commented:
Great ! The that means that the notebook is save from Domain access.
0
 
rayluvsAuthor Commented:
Thanx
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 6
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now