Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

Defining Logon Users-2

Hi,

After I implement solution from a closed question ( http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28120593.html ), I met a problem.

For every user I edited the setting "Active Directory Account Setting - Logon On To - This user can logon to - Computer name") by giving his computer NetBios name to provide a user can not logon another computer in domain.

when I did this, users could not use mail system and other active directory authenticated applications.

Could I solve this?
0
certuran
Asked:
certuran
  • 7
  • 6
1 Solution
 
Jim P.Commented:
There is a reason this option is rarely used. Because the list of ten computers needs to include things like the Outlook and SQL Servers.

Your first option is to add the servers to the logon list. The other is to abandon the idea.
0
 
certuranAuthor Commented:
what do you mean with the words of "ten computer".
0
 
Jim P.Commented:
The early incarnations of AD had a window that had only 10 spots to list the computers the user could use.

I hadn't looked at it recently and seen that it had changed.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
certuranAuthor Commented:
Is there any way to prevent other domain user to logon a computer rather than 1 or defined a few users. I know there is a way. Local Security Policy. Domain Guest User can be removed from "User Rights - allow users logon locally" policy. Doing this, every user must be added to its own computer local "User Rights" policy one by one. For 1000 computer it is a hard work. I do not know what should I do.
0
 
Jim P.Commented:
I can't find a way of doing it from the domain. It doesn't appear to be a dsmod option.

Do you run any login scripts?

You could put a batch file on each of them that does something like below:

If %username%==MyDomain\JDoe exit
If %username%==MyDomain\JSmith exit
If %username%==MyDomain\Admin exit
If %username%==MyDomain\JAdams exit
logoff

Open in new window


I've been working in a world that we host a bunch of companies on our servers, so we have over 100 individual domains with about the largest domain being 15 servers. So I have set them up with a nightly job that reports into a central repository. The also copy out the files I tell them to.

So if the batch file is named something like %MyCompName%_login.bat. You put in the All Users\Startup and if they don't match then they are logged off.
0
 
certuranAuthor Commented:
I can run login script. Sorry I did not understand the system that you are suggesting. What are the settings do you want me to deploy? We have 1 domain. A person turn on his computer and when logon screen comes type his password and press enter. When he left his machine alone, another person can come and press swtich user and can type a new user account user name (member of domain) and can type password and logon. if any data included in D: drive, the new person can access it. What I want to do is prevent second or other domain members logon. So could you please write me further explanation about the batch (if %username%==MyDomain\Jdoe exit). This means that if user name=Jdoe from the "my domain" do not accept. there are more than 1000 users in domain. And increasing. For every authentication for every machine this 1000 + users will be checked in batch, do you mean this? This paragraph has been like my last flutters :)
0
 
Jim P.Commented:
You have a central location that has file that are named like MyComp_Logon.bat that are copied to each computers local to the C:\Documents and Settings\All Users\Startup folder. That is based off the computer name.

Now if someone logs on over someone else -- you can have the logon script run each time. You can even have the file copied locally each time.

Now if you are being that secure -- make sure you have a backdoor that allows you to at least logon locally somehow.
0
 
certuranAuthor Commented:
What will be inside the batch
If %username%==MyDomain\JDoe exit ?
i could not understand the method.
0
 
Jim P.Commented:
The idea is that if they are approved the batch file will quit before it gets to the last line. If they aren't on the approved list the logoff command will log them off the computer.

And the way I do it is the the very beginning of a batch that you don't want the users  to really see what's going on I put
@echo off
color 7f
cls

Open in new window

which is white on a gray  background.
0
 
certuranAuthor Commented:
Now I understand what you mean sir.
Is there any command line for computers.
For user structure is If %username%==MyDomain\JDoe exit
Could it be the same for computers
If %netBIOSName%==MyDomain\Computerxyz exit
I will put this user logon script of a user. If the computer does not match the user will not be able to logon.
But I do not know whether %netBIOSname% is valid or not.
0
 
Jim P.Commented:
It would be:
@echo off
color 7f
cls
If %COMPUTERNAME%==MyComputer1 exit
If %COMPUTERNAME%==MyComputer2 exit
If %COMPUTERNAME%==MyComputer3 exit
logoff

Open in new window


And I realized that I made an error in the previous post.

It would be:
if %USERDOMAIN%%USERNAME%==MyDomainJDoe exit

Open in new window



I forgot that the domain and the userid aren't concatenated. But if you want to see the variables that are available just open a command prompt and type set.
0
 
certuranAuthor Commented:
User Logon script solved question. However the way a little bit difference. You suggested to placed all computers in the batch file. Whereas I placed only the computernames which the user can logged on.
Set command is also very useful. Thank you very very much.
0
 
Jim P.Commented:
Glad to be of assistance. May all your days get brighter and brighter.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now