Solved

Defining Logon Users-2

Posted on 2013-05-11
13
429 Views
Last Modified: 2013-05-24
Hi,

After I implement solution from a closed question ( http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28120593.html ), I met a problem.

For every user I edited the setting "Active Directory Account Setting - Logon On To - This user can logon to - Computer name") by giving his computer NetBios name to provide a user can not logon another computer in domain.

when I did this, users could not use mail system and other active directory authenticated applications.

Could I solve this?
0
Comment
Question by:certuran
  • 7
  • 6
13 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 39159127
There is a reason this option is rarely used. Because the list of ten computers needs to include things like the Outlook and SQL Servers.

Your first option is to add the servers to the logon list. The other is to abandon the idea.
0
 

Author Comment

by:certuran
ID: 39172505
what do you mean with the words of "ten computer".
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39172540
The early incarnations of AD had a window that had only 10 spots to list the computers the user could use.

I hadn't looked at it recently and seen that it had changed.
0
 

Author Comment

by:certuran
ID: 39172622
Is there any way to prevent other domain user to logon a computer rather than 1 or defined a few users. I know there is a way. Local Security Policy. Domain Guest User can be removed from "User Rights - allow users logon locally" policy. Doing this, every user must be added to its own computer local "User Rights" policy one by one. For 1000 computer it is a hard work. I do not know what should I do.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39176577
I can't find a way of doing it from the domain. It doesn't appear to be a dsmod option.

Do you run any login scripts?

You could put a batch file on each of them that does something like below:

If %username%==MyDomain\JDoe exit
If %username%==MyDomain\JSmith exit
If %username%==MyDomain\Admin exit
If %username%==MyDomain\JAdams exit
logoff

Open in new window


I've been working in a world that we host a bunch of companies on our servers, so we have over 100 individual domains with about the largest domain being 15 servers. So I have set them up with a nightly job that reports into a central repository. The also copy out the files I tell them to.

So if the batch file is named something like %MyCompName%_login.bat. You put in the All Users\Startup and if they don't match then they are logged off.
0
 

Author Comment

by:certuran
ID: 39176992
I can run login script. Sorry I did not understand the system that you are suggesting. What are the settings do you want me to deploy? We have 1 domain. A person turn on his computer and when logon screen comes type his password and press enter. When he left his machine alone, another person can come and press swtich user and can type a new user account user name (member of domain) and can type password and logon. if any data included in D: drive, the new person can access it. What I want to do is prevent second or other domain members logon. So could you please write me further explanation about the batch (if %username%==MyDomain\Jdoe exit). This means that if user name=Jdoe from the "my domain" do not accept. there are more than 1000 users in domain. And increasing. For every authentication for every machine this 1000 + users will be checked in batch, do you mean this? This paragraph has been like my last flutters :)
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 38

Expert Comment

by:Jim P.
ID: 39179796
You have a central location that has file that are named like MyComp_Logon.bat that are copied to each computers local to the C:\Documents and Settings\All Users\Startup folder. That is based off the computer name.

Now if someone logs on over someone else -- you can have the logon script run each time. You can even have the file copied locally each time.

Now if you are being that secure -- make sure you have a backdoor that allows you to at least logon locally somehow.
0
 

Author Comment

by:certuran
ID: 39192738
What will be inside the batch
If %username%==MyDomain\JDoe exit ?
i could not understand the method.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39192757
The idea is that if they are approved the batch file will quit before it gets to the last line. If they aren't on the approved list the logoff command will log them off the computer.

And the way I do it is the the very beginning of a batch that you don't want the users  to really see what's going on I put
@echo off
color 7f
cls

Open in new window

which is white on a gray  background.
0
 

Author Comment

by:certuran
ID: 39193569
Now I understand what you mean sir.
Is there any command line for computers.
For user structure is If %username%==MyDomain\JDoe exit
Could it be the same for computers
If %netBIOSName%==MyDomain\Computerxyz exit
I will put this user logon script of a user. If the computer does not match the user will not be able to logon.
But I do not know whether %netBIOSname% is valid or not.
0
 
LVL 38

Accepted Solution

by:
Jim P. earned 500 total points
ID: 39194761
It would be:
@echo off
color 7f
cls
If %COMPUTERNAME%==MyComputer1 exit
If %COMPUTERNAME%==MyComputer2 exit
If %COMPUTERNAME%==MyComputer3 exit
logoff

Open in new window


And I realized that I made an error in the previous post.

It would be:
if %USERDOMAIN%%USERNAME%==MyDomainJDoe exit

Open in new window



I forgot that the domain and the userid aren't concatenated. But if you want to see the variables that are available just open a command prompt and type set.
0
 

Author Closing Comment

by:certuran
ID: 39195434
User Logon script solved question. However the way a little bit difference. You suggested to placed all computers in the batch file. Whereas I placed only the computernames which the user can logged on.
Set command is also very useful. Thank you very very much.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39195572
Glad to be of assistance. May all your days get brighter and brighter.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now