Solved

Defining Logon Users-2

Posted on 2013-05-11
13
440 Views
Last Modified: 2013-05-24
Hi,

After I implement solution from a closed question ( http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28120593.html ), I met a problem.

For every user I edited the setting "Active Directory Account Setting - Logon On To - This user can logon to - Computer name") by giving his computer NetBios name to provide a user can not logon another computer in domain.

when I did this, users could not use mail system and other active directory authenticated applications.

Could I solve this?
0
Comment
Question by:certuran
  • 7
  • 6
13 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 39159127
There is a reason this option is rarely used. Because the list of ten computers needs to include things like the Outlook and SQL Servers.

Your first option is to add the servers to the logon list. The other is to abandon the idea.
0
 

Author Comment

by:certuran
ID: 39172505
what do you mean with the words of "ten computer".
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39172540
The early incarnations of AD had a window that had only 10 spots to list the computers the user could use.

I hadn't looked at it recently and seen that it had changed.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:certuran
ID: 39172622
Is there any way to prevent other domain user to logon a computer rather than 1 or defined a few users. I know there is a way. Local Security Policy. Domain Guest User can be removed from "User Rights - allow users logon locally" policy. Doing this, every user must be added to its own computer local "User Rights" policy one by one. For 1000 computer it is a hard work. I do not know what should I do.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39176577
I can't find a way of doing it from the domain. It doesn't appear to be a dsmod option.

Do you run any login scripts?

You could put a batch file on each of them that does something like below:

If %username%==MyDomain\JDoe exit
If %username%==MyDomain\JSmith exit
If %username%==MyDomain\Admin exit
If %username%==MyDomain\JAdams exit
logoff

Open in new window


I've been working in a world that we host a bunch of companies on our servers, so we have over 100 individual domains with about the largest domain being 15 servers. So I have set them up with a nightly job that reports into a central repository. The also copy out the files I tell them to.

So if the batch file is named something like %MyCompName%_login.bat. You put in the All Users\Startup and if they don't match then they are logged off.
0
 

Author Comment

by:certuran
ID: 39176992
I can run login script. Sorry I did not understand the system that you are suggesting. What are the settings do you want me to deploy? We have 1 domain. A person turn on his computer and when logon screen comes type his password and press enter. When he left his machine alone, another person can come and press swtich user and can type a new user account user name (member of domain) and can type password and logon. if any data included in D: drive, the new person can access it. What I want to do is prevent second or other domain members logon. So could you please write me further explanation about the batch (if %username%==MyDomain\Jdoe exit). This means that if user name=Jdoe from the "my domain" do not accept. there are more than 1000 users in domain. And increasing. For every authentication for every machine this 1000 + users will be checked in batch, do you mean this? This paragraph has been like my last flutters :)
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39179796
You have a central location that has file that are named like MyComp_Logon.bat that are copied to each computers local to the C:\Documents and Settings\All Users\Startup folder. That is based off the computer name.

Now if someone logs on over someone else -- you can have the logon script run each time. You can even have the file copied locally each time.

Now if you are being that secure -- make sure you have a backdoor that allows you to at least logon locally somehow.
0
 

Author Comment

by:certuran
ID: 39192738
What will be inside the batch
If %username%==MyDomain\JDoe exit ?
i could not understand the method.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39192757
The idea is that if they are approved the batch file will quit before it gets to the last line. If they aren't on the approved list the logoff command will log them off the computer.

And the way I do it is the the very beginning of a batch that you don't want the users  to really see what's going on I put
@echo off
color 7f
cls

Open in new window

which is white on a gray  background.
0
 

Author Comment

by:certuran
ID: 39193569
Now I understand what you mean sir.
Is there any command line for computers.
For user structure is If %username%==MyDomain\JDoe exit
Could it be the same for computers
If %netBIOSName%==MyDomain\Computerxyz exit
I will put this user logon script of a user. If the computer does not match the user will not be able to logon.
But I do not know whether %netBIOSname% is valid or not.
0
 
LVL 38

Accepted Solution

by:
Jim P. earned 500 total points
ID: 39194761
It would be:
@echo off
color 7f
cls
If %COMPUTERNAME%==MyComputer1 exit
If %COMPUTERNAME%==MyComputer2 exit
If %COMPUTERNAME%==MyComputer3 exit
logoff

Open in new window


And I realized that I made an error in the previous post.

It would be:
if %USERDOMAIN%%USERNAME%==MyDomainJDoe exit

Open in new window



I forgot that the domain and the userid aren't concatenated. But if you want to see the variables that are available just open a command prompt and type set.
0
 

Author Closing Comment

by:certuran
ID: 39195434
User Logon script solved question. However the way a little bit difference. You suggested to placed all computers in the batch file. Whereas I placed only the computernames which the user can logged on.
Set command is also very useful. Thank you very very much.
0
 
LVL 38

Expert Comment

by:Jim P.
ID: 39195572
Glad to be of assistance. May all your days get brighter and brighter.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article runs through the process of deploying a single EXE application selectively to a group of user.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question