Solved

Restrict logon from non domain machine to only one user

Posted on 2013-10-30
7
544 Views
Last Modified: 2013-11-11
Hello everybody,

we have a customer with several Windows XP machines and 2 windows 2008 Servers.

The customer has his own LAN with his own domain, let's say customer.domain, and GPO's in place and everything works fine.

This customer has to work from some computers that do not belong to his domain nor to his LAN. These new computers belong to another domain, let's say external.domain, and we can't modify anything from them. These computers are shared with a lot of people from different companies.

Customer.domain and external.domain are in the same building so we setup a FO link between our Firewalls and opened some ports to allow logon from external.domain machines to customer.domain so that they can access to the shared resources of customer.domain from external.domain. Again everything is working fine. Now comes the issue.

In our customer.domain there are some users with extremely simple passwords, something like 123456,  and forcing them to change the passwords is not an option.

We'd like to restrict the login from external.domain to customer.domain to only one user who we'll have a complicated password. Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password to gain access to customer.domain.

Is there a way to setup something like this?

Thank you!

David.
0
Comment
Question by:dbalcells
  • 4
  • 3
7 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 39612412
Hi.

Yes you can. You need to change a default setting. By default, EVERY account may logon from anywhere. Limit this to a known list of computers for all but your one account. That's all.
It is done here: ScreenshotPlease note that this change can be deployed to all accounts very easily in ADUC: select all accounts and right click them to select properties and there you go.

> Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password
Difficult. Logon hours can be set and resource disconnection can be configured, but not like you want it with interrupts.
0
 

Author Comment

by:dbalcells
ID: 39621230
Hi McKnife,

I tried your proposed solution and it kind of does the trick, however after clicking on Log On To we have to type all the computers one by one. We tried using domain's computers group but it doesn't work.

Looks like we're forced to introduce every single computer we want to allow users to log in. Is that correct?

As for resource disconnection per user I understand there isn't any real solution. right?

Thank you!

David.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39621283
You will not need to type any computer but instead choose groups of computers that should be accessed by groups of users and do it scripted using powershell or batch. The batch command "net user" has a switch "/workstations" for this - needs to be executed at the DC or -when done from a workstation- as domain admin and accompanied by the switch "/domain".

The resource disconnection could maybe be managed like you want it if you set the Kerberos ticket lifetime and renewal policies accordingly: Computer Configuration - Windows Settings - Security Settings - Account Policy - Kerberos Policy
0
 

Author Comment

by:dbalcells
ID: 39624080
Hi again McKnife,

I created a new security group called WORK, selected all domain computers as members of WORK and tried net user username /workstations:work /domain. When I click on username's Log On To button I can see the "group" called WORK under "This user can log on to:"

But it is not really working, the user can't log on any computer actually. I think the problem is that WORK is being interpreted as a single computer instead of a group. We can read on Log On To window, "The user can long on to the following computers:". It doesn't say anything about groups so maybe, it is not expecting a group but a computer name.

I also tried using default domain computers group but the net user username /workstations:"Equipos del dominio*" /domain showed error 1210, the format of the specified computer name is invalid.

I also read on Technet (http://technet.microsoft.com/en-us/library/cc771865.aspx)  "Lists as many as eight workstations from which a user can log on to the network".

So I'm a bit stuck at the moment. Groups of computer doesn't seem to work and computer names only up to eight workstations...

Thank you.

David.

* Spanish translation for domain computers
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 39624489
> I think the problem is that WORK is being interpreted as a single computer instead of a Group
Correct. You should use a Batch with a for-loop.
> Lists as many as eight Workstations...
Incorrect. That Limit is not valid any more, the MS-article does not apply :)
0
 

Author Comment

by:dbalcells
ID: 39624571
Thanks again for your quick reply McKnife!

So, If iI'm not wrong, I should create a batch / vbscript file with something like:

For each user in users
    If user<>targetuser Then
        For each computer in computers
            Add computer to user's Log On To list.
        Loop
    End If
Loop

Thank you!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39624899
Right.
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now