Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Username bind to computername

Posted on 2013-01-16
11
Medium Priority
?
282 Views
Last Modified: 2013-01-29
According to the title, my question is really simple. Is there any way I can restrict a username to its fix computer. Actually in my network there are some SQL developers and they simply login with administrator on domain user PC's and I want to really restrict it. Because once they leave the PC and I have to rush again to login with actual domain user information.
0
Comment
Question by:ibrahim52
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38783718
In the account tab of the user in active directory users and computers you can use the

"Log On To" setting to restrict what computers that account can log on to.  

Thanks

Mike
0
 
LVL 12

Author Comment

by:ibrahim52
ID: 38783738
the logon workstation attributes cannot be changed on this object, it says
0
 
LVL 12

Author Comment

by:ibrahim52
ID: 38783747
i need to restrict administrator user as i specified in my question.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 57

Expert Comment

by:Mike Kline
ID: 38783792
Is this account in the domain admins group?
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 1332 total points
ID: 38784803
Why are the SQL developers running around with the domain's builtin administrator user account?
Change the password and put it into a safe place and give them individual users instead of using the domain's builtin administrator user.
0
 
LVL 12

Author Comment

by:ibrahim52
ID: 38785840
Actually it is only one server in the company and those SQL developers are support providers for the accounting application we are using. Sometimes they need full administration privilege to install patches or setup on domain users computers and if I am not around, they simply log off and login through administrator username.

Once they are done, they leave the PC as it is. It has become a bit annoying for me and that is why was wondering if "administrator" username can be limited to the server hardware.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 668 total points
ID: 38786485
If you're running AD and Windows OS then you have always have 2 administrator accounts.
One is the local machine administrator account (which exists on ALL servers or workstations)
The other is the Domain Administrator account.
Both accounts are called administrator.

The easiest way to figure out which administrator account is logged on run: whoami at the command prompt.

Firstly, change the password of the local administrator account.
I'd suggest changinged the Domain Administrator password too.
You can do this through group policy if you have many machines

Create individual logins for each engineer and assign permissions to this server ONLY.

This way you can trace who was working on the server.
Also TELL them, yes use of CAPS is deliberate, that anybody who does not logoff will be banned from working on your site as they are a security risk to your Organization. Get your management involved as this is a basic security principle that is exposing your servers.

I feel that you are putting yourself out unneccessary over something that should be enforced through policies. Additional controls you can add is to enable screen-locks or screensavers during idle times. If these support staff cannot be bothered about security then lock them out.
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 1332 total points
ID: 38786495
Create new individual admin users instead of letting them using builtin administrator as the builtin user can't be restricted.
Add the individual admin users into the necessary groups for the necessary permissions and restrict the individual admin users what computers they can logon to.

If having individual usernames instead of common users, you also get tracking possibilities to know who did what instead of guessing who of the users knowing the common user's password when something happens.

An additional thing is that you can also use GPO or local policy to restrict what users can logon to a specific set of computers
Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignment
  \Allow log on locally
  \Deny log on locally
0
 
LVL 12

Assisted Solution

by:ibrahim52
ibrahim52 earned 0 total points
ID: 38793429
So it means there is no way I can restrict user "administrator" of server to be login only through SERVER hardware. I even did consult with some experts I know locally they also suggested me something similar but I know , they won't listen to it. I have already involved my management by sending them an email doing CC to management but there is no response till now and Sunday will be a meeting in which I am going to raise this particular matter again. It looks so unprofessional when a domain user calls me when the administrator is logged in and they don't recall their domain user name.
0
 
LVL 12

Assisted Solution

by:ibrahim52
ibrahim52 earned 0 total points
ID: 38817854
Well , I finally was able to had a meeting with developers in presence of my management. Went long for an hour and finally they accepted to have another account from server to administrate sql server. So I close this question with appropriate solutions posted. Thank you all.
0
 
LVL 12

Author Closing Comment

by:ibrahim52
ID: 38830393
Thank you very much to all of yours valuable response.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question