[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

How do i restrict who can log in

Posted on 2014-02-27
3
Medium Priority
?
453 Views
Last Modified: 2014-02-28
Greetings and thank you for reading.

Background: I'm the network assistant administrator, I manage a single domain using Windows Server 2008 R2  with 150 users and about 120 machines. I am the ONLY IT individual on site. Last year, we installed two xp machines in our lecture hall to be used for Powerpoint presentations.  We created an User account named "Projector" and informed staff to use that log in.  Staff continues to use their own credentials to log in and get frustrated when they realize they are missing items.

Management has requested that all user accounts, other than "Projector" and "Administrator", be removed from the machine so that ONLY "Projector" or "Administer" can log in it.

I have asked for help with other sources who suggest that I modify the User account and just exclude the select machines from being able to "logon" screen.  Problem is, the user needs to have rights to be able to log into any OTHER machine, just not the Projector.  Besides, I really don't want to modify 120 users, adding machines that I "think" they'll need access to.  

I know there has to be a way in Group Policy to manage this, but I'm very new at this.

I hope I asked the question correctly.  Simple question is: "How do I restrict who can log on to a specific computer?"

Thank you.
0
Comment
Question by:James Dart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 600 total points
ID: 39894486
Use the Groups to only included the ones you want.
http://technet.microsoft.com/en-us/library/ms175588%28v=sql.105%29.aspx
Open secpol.msc and go to, Local Policies -> user rights assignment and you will see quite a few "Deny log on" entries. Modify those, or just use the "Access this computer from the network" setting to include the groups you want.
-rich
0
 
LVL 65

Expert Comment

by:btan
ID: 39894891
As shared by richrumble, there is the  "Deny log on locally" setting, but thought that this for restrictions for local machine. You can catch this as well http://mintywhite.com/windows-7/7maintenance/prevent-users-logging-domain-workstations/

But note that it only work for specific groups of users to specific groups of computers. If you want to restrict a random set of users to that specific computer, you may want to look at the Logon to option under that user account. so may consider to create a new policy such as "restrict logon" and edit the new policy
e.g. goto Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment
e.g. Open the Deny log on locally policy and add the group for your Users
e.g. Close and save the policy
e.g. Attach the new policy to the computer

There is a product called UserLock that allows you more granularity, you can check out http://www.isdecisions.com/products/userlock/features.htm

Maybe a graceful scale up of the solution in future where you can explore some of the lockdown can factor in access based on workstations, time, business hours, and connection type.
e.g. own workstation, IP range, department, floor or building.
e.g. working hours and/or maximum session time for protected users.
e.g. Outside of allowed timeframes and/or when time is up, users will be disconnected with prior warning.
0
 

Author Closing Comment

by:James Dart
ID: 39894915
That is what I just found. Excellent.  Thank you for confirming my research!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question