Solved

Username bind to computername

Posted on 2013-01-16
11
273 Views
Last Modified: 2013-01-29
According to the title, my question is really simple. Is there any way I can restrict a username to its fix computer. Actually in my network there are some SQL developers and they simply login with administrator on domain user PC's and I want to really restrict it. Because once they leave the PC and I have to rush again to login with actual domain user information.
0
Comment
Question by:ibrahim52
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
In the account tab of the user in active directory users and computers you can use the

"Log On To" setting to restrict what computers that account can log on to.  

Thanks

Mike
0
 
LVL 12

Author Comment

by:ibrahim52
Comment Utility
the logon workstation attributes cannot be changed on this object, it says
0
 
LVL 12

Author Comment

by:ibrahim52
Comment Utility
i need to restrict administrator user as i specified in my question.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Is this account in the domain admins group?
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 333 total points
Comment Utility
Why are the SQL developers running around with the domain's builtin administrator user account?
Change the password and put it into a safe place and give them individual users instead of using the domain's builtin administrator user.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 12

Author Comment

by:ibrahim52
Comment Utility
Actually it is only one server in the company and those SQL developers are support providers for the accounting application we are using. Sometimes they need full administration privilege to install patches or setup on domain users computers and if I am not around, they simply log off and login through administrator username.

Once they are done, they leave the PC as it is. It has become a bit annoying for me and that is why was wondering if "administrator" username can be limited to the server hardware.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 167 total points
Comment Utility
If you're running AD and Windows OS then you have always have 2 administrator accounts.
One is the local machine administrator account (which exists on ALL servers or workstations)
The other is the Domain Administrator account.
Both accounts are called administrator.

The easiest way to figure out which administrator account is logged on run: whoami at the command prompt.

Firstly, change the password of the local administrator account.
I'd suggest changinged the Domain Administrator password too.
You can do this through group policy if you have many machines

Create individual logins for each engineer and assign permissions to this server ONLY.

This way you can trace who was working on the server.
Also TELL them, yes use of CAPS is deliberate, that anybody who does not logoff will be banned from working on your site as they are a security risk to your Organization. Get your management involved as this is a basic security principle that is exposing your servers.

I feel that you are putting yourself out unneccessary over something that should be enforced through policies. Additional controls you can add is to enable screen-locks or screensavers during idle times. If these support staff cannot be bothered about security then lock them out.
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 333 total points
Comment Utility
Create new individual admin users instead of letting them using builtin administrator as the builtin user can't be restricted.
Add the individual admin users into the necessary groups for the necessary permissions and restrict the individual admin users what computers they can logon to.

If having individual usernames instead of common users, you also get tracking possibilities to know who did what instead of guessing who of the users knowing the common user's password when something happens.

An additional thing is that you can also use GPO or local policy to restrict what users can logon to a specific set of computers
Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignment
  \Allow log on locally
  \Deny log on locally
0
 
LVL 12

Assisted Solution

by:ibrahim52
ibrahim52 earned 0 total points
Comment Utility
So it means there is no way I can restrict user "administrator" of server to be login only through SERVER hardware. I even did consult with some experts I know locally they also suggested me something similar but I know , they won't listen to it. I have already involved my management by sending them an email doing CC to management but there is no response till now and Sunday will be a meeting in which I am going to raise this particular matter again. It looks so unprofessional when a domain user calls me when the administrator is logged in and they don't recall their domain user name.
0
 
LVL 12

Assisted Solution

by:ibrahim52
ibrahim52 earned 0 total points
Comment Utility
Well , I finally was able to had a meeting with developers in presence of my management. Went long for an hour and finally they accepted to have another account from server to administrate sql server. So I close this question with appropriate solutions posted. Thank you all.
0
 
LVL 12

Author Closing Comment

by:ibrahim52
Comment Utility
Thank you very much to all of yours valuable response.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
A procedure for exporting installed hotfix details of remote computers using powershell
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now