Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Restrict logon from non domain machine to only one user

Posted on 2013-10-30
Medium Priority
Last Modified: 2013-11-11
Hello everybody,

we have a customer with several Windows XP machines and 2 windows 2008 Servers.

The customer has his own LAN with his own domain, let's say customer.domain, and GPO's in place and everything works fine.

This customer has to work from some computers that do not belong to his domain nor to his LAN. These new computers belong to another domain, let's say external.domain, and we can't modify anything from them. These computers are shared with a lot of people from different companies.

Customer.domain and external.domain are in the same building so we setup a FO link between our Firewalls and opened some ports to allow logon from external.domain machines to customer.domain so that they can access to the shared resources of customer.domain from external.domain. Again everything is working fine. Now comes the issue.

In our customer.domain there are some users with extremely simple passwords, something like 123456,  and forcing them to change the passwords is not an option.

We'd like to restrict the login from external.domain to customer.domain to only one user who we'll have a complicated password. Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password to gain access to customer.domain.

Is there a way to setup something like this?

Thank you!

Question by:dbalcells
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 56

Accepted Solution

McKnife earned 2000 total points
ID: 39612412

Yes you can. You need to change a default setting. By default, EVERY account may logon from anywhere. Limit this to a known list of computers for all but your one account. That's all.
It is done here: ScreenshotPlease note that this change can be deployed to all accounts very easily in ADUC: select all accounts and right click them to select properties and there you go.

> Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password
Difficult. Logon hours can be set and resource disconnection can be configured, but not like you want it with interrupts.

Author Comment

ID: 39621230
Hi McKnife,

I tried your proposed solution and it kind of does the trick, however after clicking on Log On To we have to type all the computers one by one. We tried using domain's computers group but it doesn't work.

Looks like we're forced to introduce every single computer we want to allow users to log in. Is that correct?

As for resource disconnection per user I understand there isn't any real solution. right?

Thank you!

LVL 56

Expert Comment

ID: 39621283
You will not need to type any computer but instead choose groups of computers that should be accessed by groups of users and do it scripted using powershell or batch. The batch command "net user" has a switch "/workstations" for this - needs to be executed at the DC or -when done from a workstation- as domain admin and accompanied by the switch "/domain".

The resource disconnection could maybe be managed like you want it if you set the Kerberos ticket lifetime and renewal policies accordingly: Computer Configuration - Windows Settings - Security Settings - Account Policy - Kerberos Policy
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.


Author Comment

ID: 39624080
Hi again McKnife,

I created a new security group called WORK, selected all domain computers as members of WORK and tried net user username /workstations:work /domain. When I click on username's Log On To button I can see the "group" called WORK under "This user can log on to:"

But it is not really working, the user can't log on any computer actually. I think the problem is that WORK is being interpreted as a single computer instead of a group. We can read on Log On To window, "The user can long on to the following computers:". It doesn't say anything about groups so maybe, it is not expecting a group but a computer name.

I also tried using default domain computers group but the net user username /workstations:"Equipos del dominio*" /domain showed error 1210, the format of the specified computer name is invalid.

I also read on Technet (  "Lists as many as eight workstations from which a user can log on to the network".

So I'm a bit stuck at the moment. Groups of computer doesn't seem to work and computer names only up to eight workstations...

Thank you.


* Spanish translation for domain computers
LVL 56

Assisted Solution

McKnife earned 2000 total points
ID: 39624489
> I think the problem is that WORK is being interpreted as a single computer instead of a Group
Correct. You should use a Batch with a for-loop.
> Lists as many as eight Workstations...
Incorrect. That Limit is not valid any more, the MS-article does not apply :)

Author Comment

ID: 39624571
Thanks again for your quick reply McKnife!

So, If iI'm not wrong, I should create a batch / vbscript file with something like:

For each user in users
    If user<>targetuser Then
        For each computer in computers
            Add computer to user's Log On To list.
    End If

Thank you!
LVL 56

Expert Comment

ID: 39624899

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question