Link to home
Start Free TrialLog in
Avatar of certuran
certuranFlag for Türkiye

asked on

Defining Logon Users-2

Hi,

After I implement solution from a closed question ( https://www.experts-exchange.com/questions/28120593/Defining-Logon-Users.html ), I met a problem.

For every user I edited the setting "Active Directory Account Setting - Logon On To - This user can logon to - Computer name") by giving his computer NetBios name to provide a user can not logon another computer in domain.

when I did this, users could not use mail system and other active directory authenticated applications.

Could I solve this?
Avatar of Jim P.
Jim P.
Flag of United States of America image

There is a reason this option is rarely used. Because the list of ten computers needs to include things like the Outlook and SQL Servers.

Your first option is to add the servers to the logon list. The other is to abandon the idea.
Avatar of certuran

ASKER

what do you mean with the words of "ten computer".
The early incarnations of AD had a window that had only 10 spots to list the computers the user could use.

I hadn't looked at it recently and seen that it had changed.
Is there any way to prevent other domain user to logon a computer rather than 1 or defined a few users. I know there is a way. Local Security Policy. Domain Guest User can be removed from "User Rights - allow users logon locally" policy. Doing this, every user must be added to its own computer local "User Rights" policy one by one. For 1000 computer it is a hard work. I do not know what should I do.
I can't find a way of doing it from the domain. It doesn't appear to be a dsmod option.

Do you run any login scripts?

You could put a batch file on each of them that does something like below:

If %username%==MyDomain\JDoe exit
If %username%==MyDomain\JSmith exit
If %username%==MyDomain\Admin exit
If %username%==MyDomain\JAdams exit
logoff

Open in new window


I've been working in a world that we host a bunch of companies on our servers, so we have over 100 individual domains with about the largest domain being 15 servers. So I have set them up with a nightly job that reports into a central repository. The also copy out the files I tell them to.

So if the batch file is named something like %MyCompName%_login.bat. You put in the All Users\Startup and if they don't match then they are logged off.
I can run login script. Sorry I did not understand the system that you are suggesting. What are the settings do you want me to deploy? We have 1 domain. A person turn on his computer and when logon screen comes type his password and press enter. When he left his machine alone, another person can come and press swtich user and can type a new user account user name (member of domain) and can type password and logon. if any data included in D: drive, the new person can access it. What I want to do is prevent second or other domain members logon. So could you please write me further explanation about the batch (if %username%==MyDomain\Jdoe exit). This means that if user name=Jdoe from the "my domain" do not accept. there are more than 1000 users in domain. And increasing. For every authentication for every machine this 1000 + users will be checked in batch, do you mean this? This paragraph has been like my last flutters :)
You have a central location that has file that are named like MyComp_Logon.bat that are copied to each computers local to the C:\Documents and Settings\All Users\Startup folder. That is based off the computer name.

Now if someone logs on over someone else -- you can have the logon script run each time. You can even have the file copied locally each time.

Now if you are being that secure -- make sure you have a backdoor that allows you to at least logon locally somehow.
What will be inside the batch
If %username%==MyDomain\JDoe exit ?
i could not understand the method.
The idea is that if they are approved the batch file will quit before it gets to the last line. If they aren't on the approved list the logoff command will log them off the computer.

And the way I do it is the the very beginning of a batch that you don't want the users  to really see what's going on I put
@echo off
color 7f
cls

Open in new window

which is white on a gray  background.
Now I understand what you mean sir.
Is there any command line for computers.
For user structure is If %username%==MyDomain\JDoe exit
Could it be the same for computers
If %netBIOSName%==MyDomain\Computerxyz exit
I will put this user logon script of a user. If the computer does not match the user will not be able to logon.
But I do not know whether %netBIOSname% is valid or not.
ASKER CERTIFIED SOLUTION
Avatar of Jim P.
Jim P.
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
User Logon script solved question. However the way a little bit difference. You suggested to placed all computers in the batch file. Whereas I placed only the computernames which the user can logged on.
Set command is also very useful. Thank you very very much.
Glad to be of assistance. May all your days get brighter and brighter.