Solved

Restrict logon from non domain machine to only one user

Posted on 2013-10-30
7
549 Views
Last Modified: 2013-11-11
Hello everybody,

we have a customer with several Windows XP machines and 2 windows 2008 Servers.

The customer has his own LAN with his own domain, let's say customer.domain, and GPO's in place and everything works fine.

This customer has to work from some computers that do not belong to his domain nor to his LAN. These new computers belong to another domain, let's say external.domain, and we can't modify anything from them. These computers are shared with a lot of people from different companies.

Customer.domain and external.domain are in the same building so we setup a FO link between our Firewalls and opened some ports to allow logon from external.domain machines to customer.domain so that they can access to the shared resources of customer.domain from external.domain. Again everything is working fine. Now comes the issue.

In our customer.domain there are some users with extremely simple passwords, something like 123456,  and forcing them to change the passwords is not an option.

We'd like to restrict the login from external.domain to customer.domain to only one user who we'll have a complicated password. Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password to gain access to customer.domain.

Is there a way to setup something like this?

Thank you!

David.
0
Comment
Question by:dbalcells
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 39612412
Hi.

Yes you can. You need to change a default setting. By default, EVERY account may logon from anywhere. Limit this to a known list of computers for all but your one account. That's all.
It is done here: ScreenshotPlease note that this change can be deployed to all accounts very easily in ADUC: select all accounts and right click them to select properties and there you go.

> Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password
Difficult. Logon hours can be set and resource disconnection can be configured, but not like you want it with interrupts.
0
 

Author Comment

by:dbalcells
ID: 39621230
Hi McKnife,

I tried your proposed solution and it kind of does the trick, however after clicking on Log On To we have to type all the computers one by one. We tried using domain's computers group but it doesn't work.

Looks like we're forced to introduce every single computer we want to allow users to log in. Is that correct?

As for resource disconnection per user I understand there isn't any real solution. right?

Thank you!

David.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39621283
You will not need to type any computer but instead choose groups of computers that should be accessed by groups of users and do it scripted using powershell or batch. The batch command "net user" has a switch "/workstations" for this - needs to be executed at the DC or -when done from a workstation- as domain admin and accompanied by the switch "/domain".

The resource disconnection could maybe be managed like you want it if you set the Kerberos ticket lifetime and renewal policies accordingly: Computer Configuration - Windows Settings - Security Settings - Account Policy - Kerberos Policy
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:dbalcells
ID: 39624080
Hi again McKnife,

I created a new security group called WORK, selected all domain computers as members of WORK and tried net user username /workstations:work /domain. When I click on username's Log On To button I can see the "group" called WORK under "This user can log on to:"

But it is not really working, the user can't log on any computer actually. I think the problem is that WORK is being interpreted as a single computer instead of a group. We can read on Log On To window, "The user can long on to the following computers:". It doesn't say anything about groups so maybe, it is not expecting a group but a computer name.

I also tried using default domain computers group but the net user username /workstations:"Equipos del dominio*" /domain showed error 1210, the format of the specified computer name is invalid.

I also read on Technet (http://technet.microsoft.com/en-us/library/cc771865.aspx)  "Lists as many as eight workstations from which a user can log on to the network".

So I'm a bit stuck at the moment. Groups of computer doesn't seem to work and computer names only up to eight workstations...

Thank you.

David.

* Spanish translation for domain computers
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 39624489
> I think the problem is that WORK is being interpreted as a single computer instead of a Group
Correct. You should use a Batch with a for-loop.
> Lists as many as eight Workstations...
Incorrect. That Limit is not valid any more, the MS-article does not apply :)
0
 

Author Comment

by:dbalcells
ID: 39624571
Thanks again for your quick reply McKnife!

So, If iI'm not wrong, I should create a batch / vbscript file with something like:

For each user in users
    If user<>targetuser Then
        For each computer in computers
            Add computer to user's Log On To list.
        Loop
    End If
Loop

Thank you!
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39624899
Right.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Let's recap what we learned from yesterday's Skyport Systems webinar.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question