dbalcells
asked on
Restrict logon from non domain machine to only one user
Hello everybody,
we have a customer with several Windows XP machines and 2 windows 2008 Servers.
The customer has his own LAN with his own domain, let's say customer.domain, and GPO's in place and everything works fine.
This customer has to work from some computers that do not belong to his domain nor to his LAN. These new computers belong to another domain, let's say external.domain, and we can't modify anything from them. These computers are shared with a lot of people from different companies.
Customer.domain and external.domain are in the same building so we setup a FO link between our Firewalls and opened some ports to allow logon from external.domain machines to customer.domain so that they can access to the shared resources of customer.domain from external.domain. Again everything is working fine. Now comes the issue.
In our customer.domain there are some users with extremely simple passwords, something like 123456, and forcing them to change the passwords is not an option.
We'd like to restrict the login from external.domain to customer.domain to only one user who we'll have a complicated password. Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password to gain access to customer.domain.
Is there a way to setup something like this?
Thank you!
David.
we have a customer with several Windows XP machines and 2 windows 2008 Servers.
The customer has his own LAN with his own domain, let's say customer.domain, and GPO's in place and everything works fine.
This customer has to work from some computers that do not belong to his domain nor to his LAN. These new computers belong to another domain, let's say external.domain, and we can't modify anything from them. These computers are shared with a lot of people from different companies.
Customer.domain and external.domain are in the same building so we setup a FO link between our Firewalls and opened some ports to allow logon from external.domain machines to customer.domain so that they can access to the shared resources of customer.domain from external.domain. Again everything is working fine. Now comes the issue.
In our customer.domain there are some users with extremely simple passwords, something like 123456, and forcing them to change the passwords is not an option.
We'd like to restrict the login from external.domain to customer.domain to only one user who we'll have a complicated password. Also, we'd like this user to autodisconnect every 60 minutes so that they need to retype the password to gain access to customer.domain.
Is there a way to setup something like this?
Thank you!
David.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You will not need to type any computer but instead choose groups of computers that should be accessed by groups of users and do it scripted using powershell or batch. The batch command "net user" has a switch "/workstations" for this - needs to be executed at the DC or -when done from a workstation- as domain admin and accompanied by the switch "/domain".
The resource disconnection could maybe be managed like you want it if you set the Kerberos ticket lifetime and renewal policies accordingly: Computer Configuration - Windows Settings - Security Settings - Account Policy - Kerberos Policy
The resource disconnection could maybe be managed like you want it if you set the Kerberos ticket lifetime and renewal policies accordingly: Computer Configuration - Windows Settings - Security Settings - Account Policy - Kerberos Policy
ASKER
Hi again McKnife,
I created a new security group called WORK, selected all domain computers as members of WORK and tried net user username /workstations:work /domain. When I click on username's Log On To button I can see the "group" called WORK under "This user can log on to:"
But it is not really working, the user can't log on any computer actually. I think the problem is that WORK is being interpreted as a single computer instead of a group. We can read on Log On To window, "The user can long on to the following computers:". It doesn't say anything about groups so maybe, it is not expecting a group but a computer name.
I also tried using default domain computers group but the net user username /workstations:"Equipos del dominio*" /domain showed error 1210, the format of the specified computer name is invalid.
I also read on Technet (http://technet.microsoft.com/en-us/library/cc771865.aspx) "Lists as many as eight workstations from which a user can log on to the network".
So I'm a bit stuck at the moment. Groups of computer doesn't seem to work and computer names only up to eight workstations...
Thank you.
David.
* Spanish translation for domain computers
I created a new security group called WORK, selected all domain computers as members of WORK and tried net user username /workstations:work /domain. When I click on username's Log On To button I can see the "group" called WORK under "This user can log on to:"
But it is not really working, the user can't log on any computer actually. I think the problem is that WORK is being interpreted as a single computer instead of a group. We can read on Log On To window, "The user can long on to the following computers:". It doesn't say anything about groups so maybe, it is not expecting a group but a computer name.
I also tried using default domain computers group but the net user username /workstations:"Equipos del dominio*" /domain showed error 1210, the format of the specified computer name is invalid.
I also read on Technet (http://technet.microsoft.com/en-us/library/cc771865.aspx) "Lists as many as eight workstations from which a user can log on to the network".
So I'm a bit stuck at the moment. Groups of computer doesn't seem to work and computer names only up to eight workstations...
Thank you.
David.
* Spanish translation for domain computers
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again for your quick reply McKnife!
So, If iI'm not wrong, I should create a batch / vbscript file with something like:
For each user in users
If user<>targetuser Then
For each computer in computers
Add computer to user's Log On To list.
Loop
End If
Loop
Thank you!
So, If iI'm not wrong, I should create a batch / vbscript file with something like:
For each user in users
If user<>targetuser Then
For each computer in computers
Add computer to user's Log On To list.
Loop
End If
Loop
Thank you!
Right.
ASKER
I tried your proposed solution and it kind of does the trick, however after clicking on Log On To we have to type all the computers one by one. We tried using domain's computers group but it doesn't work.
Looks like we're forced to introduce every single computer we want to allow users to log in. Is that correct?
As for resource disconnection per user I understand there isn't any real solution. right?
Thank you!
David.