Solved

Username bind to computername

Posted on 2013-01-16
11
276 Views
Last Modified: 2013-01-29
According to the title, my question is really simple. Is there any way I can restrict a username to its fix computer. Actually in my network there are some SQL developers and they simply login with administrator on domain user PC's and I want to really restrict it. Because once they leave the PC and I have to rush again to login with actual domain user information.
0
Comment
Question by:ibrahim52
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38783718
In the account tab of the user in active directory users and computers you can use the

"Log On To" setting to restrict what computers that account can log on to.  

Thanks

Mike
0
 
LVL 12

Author Comment

by:ibrahim52
ID: 38783738
the logon workstation attributes cannot be changed on this object, it says
0
 
LVL 12

Author Comment

by:ibrahim52
ID: 38783747
i need to restrict administrator user as i specified in my question.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 38783792
Is this account in the domain admins group?
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 333 total points
ID: 38784803
Why are the SQL developers running around with the domain's builtin administrator user account?
Change the password and put it into a safe place and give them individual users instead of using the domain's builtin administrator user.
0
 
LVL 12

Author Comment

by:ibrahim52
ID: 38785840
Actually it is only one server in the company and those SQL developers are support providers for the accounting application we are using. Sometimes they need full administration privilege to install patches or setup on domain users computers and if I am not around, they simply log off and login through administrator username.

Once they are done, they leave the PC as it is. It has become a bit annoying for me and that is why was wondering if "administrator" username can be limited to the server hardware.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 167 total points
ID: 38786485
If you're running AD and Windows OS then you have always have 2 administrator accounts.
One is the local machine administrator account (which exists on ALL servers or workstations)
The other is the Domain Administrator account.
Both accounts are called administrator.

The easiest way to figure out which administrator account is logged on run: whoami at the command prompt.

Firstly, change the password of the local administrator account.
I'd suggest changinged the Domain Administrator password too.
You can do this through group policy if you have many machines

Create individual logins for each engineer and assign permissions to this server ONLY.

This way you can trace who was working on the server.
Also TELL them, yes use of CAPS is deliberate, that anybody who does not logoff will be banned from working on your site as they are a security risk to your Organization. Get your management involved as this is a basic security principle that is exposing your servers.

I feel that you are putting yourself out unneccessary over something that should be enforced through policies. Additional controls you can add is to enable screen-locks or screensavers during idle times. If these support staff cannot be bothered about security then lock them out.
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 333 total points
ID: 38786495
Create new individual admin users instead of letting them using builtin administrator as the builtin user can't be restricted.
Add the individual admin users into the necessary groups for the necessary permissions and restrict the individual admin users what computers they can logon to.

If having individual usernames instead of common users, you also get tracking possibilities to know who did what instead of guessing who of the users knowing the common user's password when something happens.

An additional thing is that you can also use GPO or local policy to restrict what users can logon to a specific set of computers
Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignment
  \Allow log on locally
  \Deny log on locally
0
 
LVL 12

Assisted Solution

by:ibrahim52
ibrahim52 earned 0 total points
ID: 38793429
So it means there is no way I can restrict user "administrator" of server to be login only through SERVER hardware. I even did consult with some experts I know locally they also suggested me something similar but I know , they won't listen to it. I have already involved my management by sending them an email doing CC to management but there is no response till now and Sunday will be a meeting in which I am going to raise this particular matter again. It looks so unprofessional when a domain user calls me when the administrator is logged in and they don't recall their domain user name.
0
 
LVL 12

Assisted Solution

by:ibrahim52
ibrahim52 earned 0 total points
ID: 38817854
Well , I finally was able to had a meeting with developers in presence of my management. Went long for an hour and finally they accepted to have another account from server to administrate sql server. So I close this question with appropriate solutions posted. Thank you all.
0
 
LVL 12

Author Closing Comment

by:ibrahim52
ID: 38830393
Thank you very much to all of yours valuable response.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In-place Upgrading Dirsync to Azure AD Connect
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question