?
Solved

Defining Logon Users-2

Posted on 2013-05-11
13
Medium Priority
?
446 Views
Last Modified: 2013-05-24
Hi,

After I implement solution from a closed question ( http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28120593.html ), I met a problem.

For every user I edited the setting "Active Directory Account Setting - Logon On To - This user can logon to - Computer name") by giving his computer NetBios name to provide a user can not logon another computer in domain.

when I did this, users could not use mail system and other active directory authenticated applications.

Could I solve this?
0
Comment
Question by:certuran
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 39159127
There is a reason this option is rarely used. Because the list of ten computers needs to include things like the Outlook and SQL Servers.

Your first option is to add the servers to the logon list. The other is to abandon the idea.
0
 

Author Comment

by:certuran
ID: 39172505
what do you mean with the words of "ten computer".
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39172540
The early incarnations of AD had a window that had only 10 spots to list the computers the user could use.

I hadn't looked at it recently and seen that it had changed.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:certuran
ID: 39172622
Is there any way to prevent other domain user to logon a computer rather than 1 or defined a few users. I know there is a way. Local Security Policy. Domain Guest User can be removed from "User Rights - allow users logon locally" policy. Doing this, every user must be added to its own computer local "User Rights" policy one by one. For 1000 computer it is a hard work. I do not know what should I do.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39176577
I can't find a way of doing it from the domain. It doesn't appear to be a dsmod option.

Do you run any login scripts?

You could put a batch file on each of them that does something like below:

If %username%==MyDomain\JDoe exit
If %username%==MyDomain\JSmith exit
If %username%==MyDomain\Admin exit
If %username%==MyDomain\JAdams exit
logoff

Open in new window


I've been working in a world that we host a bunch of companies on our servers, so we have over 100 individual domains with about the largest domain being 15 servers. So I have set them up with a nightly job that reports into a central repository. The also copy out the files I tell them to.

So if the batch file is named something like %MyCompName%_login.bat. You put in the All Users\Startup and if they don't match then they are logged off.
0
 

Author Comment

by:certuran
ID: 39176992
I can run login script. Sorry I did not understand the system that you are suggesting. What are the settings do you want me to deploy? We have 1 domain. A person turn on his computer and when logon screen comes type his password and press enter. When he left his machine alone, another person can come and press swtich user and can type a new user account user name (member of domain) and can type password and logon. if any data included in D: drive, the new person can access it. What I want to do is prevent second or other domain members logon. So could you please write me further explanation about the batch (if %username%==MyDomain\Jdoe exit). This means that if user name=Jdoe from the "my domain" do not accept. there are more than 1000 users in domain. And increasing. For every authentication for every machine this 1000 + users will be checked in batch, do you mean this? This paragraph has been like my last flutters :)
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39179796
You have a central location that has file that are named like MyComp_Logon.bat that are copied to each computers local to the C:\Documents and Settings\All Users\Startup folder. That is based off the computer name.

Now if someone logs on over someone else -- you can have the logon script run each time. You can even have the file copied locally each time.

Now if you are being that secure -- make sure you have a backdoor that allows you to at least logon locally somehow.
0
 

Author Comment

by:certuran
ID: 39192738
What will be inside the batch
If %username%==MyDomain\JDoe exit ?
i could not understand the method.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39192757
The idea is that if they are approved the batch file will quit before it gets to the last line. If they aren't on the approved list the logoff command will log them off the computer.

And the way I do it is the the very beginning of a batch that you don't want the users  to really see what's going on I put
@echo off
color 7f
cls

Open in new window

which is white on a gray  background.
0
 

Author Comment

by:certuran
ID: 39193569
Now I understand what you mean sir.
Is there any command line for computers.
For user structure is If %username%==MyDomain\JDoe exit
Could it be the same for computers
If %netBIOSName%==MyDomain\Computerxyz exit
I will put this user logon script of a user. If the computer does not match the user will not be able to logon.
But I do not know whether %netBIOSname% is valid or not.
0
 
LVL 38

Accepted Solution

by:
Jim P. earned 2000 total points
ID: 39194761
It would be:
@echo off
color 7f
cls
If %COMPUTERNAME%==MyComputer1 exit
If %COMPUTERNAME%==MyComputer2 exit
If %COMPUTERNAME%==MyComputer3 exit
logoff

Open in new window


And I realized that I made an error in the previous post.

It would be:
if %USERDOMAIN%%USERNAME%==MyDomainJDoe exit

Open in new window



I forgot that the domain and the userid aren't concatenated. But if you want to see the variables that are available just open a command prompt and type set.
0
 

Author Closing Comment

by:certuran
ID: 39195434
User Logon script solved question. However the way a little bit difference. You suggested to placed all computers in the batch file. Whereas I placed only the computernames which the user can logged on.
Set command is also very useful. Thank you very very much.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39195572
Glad to be of assistance. May all your days get brighter and brighter.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question