Restrict logon from non domain machine to only one user

Posted on 2013-10-30
Last Modified: 2013-11-11
Hello everybody,

we have a customer with several Windows XP machines and 2 windows 2008 Servers.

The customer has his own LAN with his own domain, let's say customer.domain, and GPO's in place and everything works fine.

This customer has to work from some computers that do not belong to his domain nor to his LAN. These new computers belong to another domain, let's say external.domain, and we can't modify anything from them. These computers are shared with a lot of people from different companies.

Customer.domain and external.domain are in the same building so we setup a FO link between our Firewalls and opened some ports to allow logon from external.domain machines to customer.domain so that they can access to the shared resources of customer.domain from external.domain. Again everything is working fine. Now comes the issue.

In our customer.domain there are some users with extremely simple passwords, something like 123456,  and forcing them to change the passwords is not an option.

We'd like to restrict the login from external.domain to customer.domain to only one user who we'll have a complicated password. Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password to gain access to customer.domain.

Is there a way to setup something like this?

Thank you!

Question by:dbalcells
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 54

Accepted Solution

McKnife earned 500 total points
ID: 39612412

Yes you can. You need to change a default setting. By default, EVERY account may logon from anywhere. Limit this to a known list of computers for all but your one account. That's all.
It is done here: ScreenshotPlease note that this change can be deployed to all accounts very easily in ADUC: select all accounts and right click them to select properties and there you go.

> Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password
Difficult. Logon hours can be set and resource disconnection can be configured, but not like you want it with interrupts.

Author Comment

ID: 39621230
Hi McKnife,

I tried your proposed solution and it kind of does the trick, however after clicking on Log On To we have to type all the computers one by one. We tried using domain's computers group but it doesn't work.

Looks like we're forced to introduce every single computer we want to allow users to log in. Is that correct?

As for resource disconnection per user I understand there isn't any real solution. right?

Thank you!

LVL 54

Expert Comment

ID: 39621283
You will not need to type any computer but instead choose groups of computers that should be accessed by groups of users and do it scripted using powershell or batch. The batch command "net user" has a switch "/workstations" for this - needs to be executed at the DC or -when done from a workstation- as domain admin and accompanied by the switch "/domain".

The resource disconnection could maybe be managed like you want it if you set the Kerberos ticket lifetime and renewal policies accordingly: Computer Configuration - Windows Settings - Security Settings - Account Policy - Kerberos Policy
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.


Author Comment

ID: 39624080
Hi again McKnife,

I created a new security group called WORK, selected all domain computers as members of WORK and tried net user username /workstations:work /domain. When I click on username's Log On To button I can see the "group" called WORK under "This user can log on to:"

But it is not really working, the user can't log on any computer actually. I think the problem is that WORK is being interpreted as a single computer instead of a group. We can read on Log On To window, "The user can long on to the following computers:". It doesn't say anything about groups so maybe, it is not expecting a group but a computer name.

I also tried using default domain computers group but the net user username /workstations:"Equipos del dominio*" /domain showed error 1210, the format of the specified computer name is invalid.

I also read on Technet (  "Lists as many as eight workstations from which a user can log on to the network".

So I'm a bit stuck at the moment. Groups of computer doesn't seem to work and computer names only up to eight workstations...

Thank you.


* Spanish translation for domain computers
LVL 54

Assisted Solution

McKnife earned 500 total points
ID: 39624489
> I think the problem is that WORK is being interpreted as a single computer instead of a Group
Correct. You should use a Batch with a for-loop.
> Lists as many as eight Workstations...
Incorrect. That Limit is not valid any more, the MS-article does not apply :)

Author Comment

ID: 39624571
Thanks again for your quick reply McKnife!

So, If iI'm not wrong, I should create a batch / vbscript file with something like:

For each user in users
    If user<>targetuser Then
        For each computer in computers
            Add computer to user's Log On To list.
    End If

Thank you!
LVL 54

Expert Comment

ID: 39624899

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question