Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Username bind to computername

Posted on 2013-01-16
11
Medium Priority
?
281 Views
Last Modified: 2013-01-29
According to the title, my question is really simple. Is there any way I can restrict a username to its fix computer. Actually in my network there are some SQL developers and they simply login with administrator on domain user PC's and I want to really restrict it. Because once they leave the PC and I have to rush again to login with actual domain user information.
0
Comment
Question by:ibrahim52
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38783718
In the account tab of the user in active directory users and computers you can use the

"Log On To" setting to restrict what computers that account can log on to.  

Thanks

Mike
0
 
LVL 12

Author Comment

by:ibrahim52
ID: 38783738
the logon workstation attributes cannot be changed on this object, it says
0
 
LVL 12

Author Comment

by:ibrahim52
ID: 38783747
i need to restrict administrator user as i specified in my question.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 38783792
Is this account in the domain admins group?
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 1332 total points
ID: 38784803
Why are the SQL developers running around with the domain's builtin administrator user account?
Change the password and put it into a safe place and give them individual users instead of using the domain's builtin administrator user.
0
 
LVL 12

Author Comment

by:ibrahim52
ID: 38785840
Actually it is only one server in the company and those SQL developers are support providers for the accounting application we are using. Sometimes they need full administration privilege to install patches or setup on domain users computers and if I am not around, they simply log off and login through administrator username.

Once they are done, they leave the PC as it is. It has become a bit annoying for me and that is why was wondering if "administrator" username can be limited to the server hardware.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 668 total points
ID: 38786485
If you're running AD and Windows OS then you have always have 2 administrator accounts.
One is the local machine administrator account (which exists on ALL servers or workstations)
The other is the Domain Administrator account.
Both accounts are called administrator.

The easiest way to figure out which administrator account is logged on run: whoami at the command prompt.

Firstly, change the password of the local administrator account.
I'd suggest changinged the Domain Administrator password too.
You can do this through group policy if you have many machines

Create individual logins for each engineer and assign permissions to this server ONLY.

This way you can trace who was working on the server.
Also TELL them, yes use of CAPS is deliberate, that anybody who does not logoff will be banned from working on your site as they are a security risk to your Organization. Get your management involved as this is a basic security principle that is exposing your servers.

I feel that you are putting yourself out unneccessary over something that should be enforced through policies. Additional controls you can add is to enable screen-locks or screensavers during idle times. If these support staff cannot be bothered about security then lock them out.
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 1332 total points
ID: 38786495
Create new individual admin users instead of letting them using builtin administrator as the builtin user can't be restricted.
Add the individual admin users into the necessary groups for the necessary permissions and restrict the individual admin users what computers they can logon to.

If having individual usernames instead of common users, you also get tracking possibilities to know who did what instead of guessing who of the users knowing the common user's password when something happens.

An additional thing is that you can also use GPO or local policy to restrict what users can logon to a specific set of computers
Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignment
  \Allow log on locally
  \Deny log on locally
0
 
LVL 12

Assisted Solution

by:ibrahim52
ibrahim52 earned 0 total points
ID: 38793429
So it means there is no way I can restrict user "administrator" of server to be login only through SERVER hardware. I even did consult with some experts I know locally they also suggested me something similar but I know , they won't listen to it. I have already involved my management by sending them an email doing CC to management but there is no response till now and Sunday will be a meeting in which I am going to raise this particular matter again. It looks so unprofessional when a domain user calls me when the administrator is logged in and they don't recall their domain user name.
0
 
LVL 12

Assisted Solution

by:ibrahim52
ibrahim52 earned 0 total points
ID: 38817854
Well , I finally was able to had a meeting with developers in presence of my management. Went long for an hour and finally they accepted to have another account from server to administrate sql server. So I close this question with appropriate solutions posted. Thank you all.
0
 
LVL 12

Author Closing Comment

by:ibrahim52
ID: 38830393
Thank you very much to all of yours valuable response.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question