Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Deny users local login -

Posted on 2014-09-25
17
Medium Priority
?
161 Views
Last Modified: 2014-10-18
Recently we've switched to Single Sign On by Imprivata - my pc are set to auto login but that doesn't prevent the users from hitting crtl-alt-del and logging in themselve and nulling SSO.  I origionally denied users from logging in to the machine but when I do this Imprivata doesn't allow the user to login.  Is there anyway around this?
0
Comment
Question by:WellingtonIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 3
  • +1
17 Comments
 
LVL 14

Expert Comment

by:Ben Hart
ID: 40343732
So your looking for a way to allow interactive logins or fully deny them?
0
 

Author Comment

by:WellingtonIS
ID: 40343758
I'm looking for a way to deny user logon to the machine but allow interactive login.  My departments have generic account which they are supposed to use however, they are not and loging in with there own user names and passwords.  I'm trying to prevent users from logging on to the physical machine with there own accounts but allowing them to user the interactive logon.
0
 
LVL 14

Expert Comment

by:Ben Hart
ID: 40343771
Have you tried the Local Security settings or a GPO?  The settings are in Group Policy, Computer Settings, Windows Settings, Security Settings, Local Policies, User Rights, Deny Log On Locally. Be very careful you don't lock everyone out of everything (ie, apply this to an OU (or restrict it to a group) of just one computer, then test.

For example you could Deny the Domain Users group.. or something like that it depend son how your OU's are setup.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:WellingtonIS
ID: 40343782
Origionally I had that setup.  I had a group and denied local login but I found out that SSO doesn't work if you do that.
0
 
LVL 97

Expert Comment

by:John Hurst
ID: 40343939
Set up a local admin account that users cannot use, but allows you to log in. Do not enable "administrator".

Then remove all other local accounts.

Now users can only log in as domain users.

This should work just fine.
0
 

Author Comment

by:WellingtonIS
ID: 40344012
That's great but it still doesn't prevent my users from login in to the machine on the domain as themselves.
0
 
LVL 97

Expert Comment

by:John Hurst
ID: 40344030
Of course not. The title of the thread asks "Deny LOCAL login".

So then what is the actual question?
0
 

Author Comment

by:WellingtonIS
ID: 40344034
Sorry looking for a way to deny user logon to the machine but allow interactive login with Imprava SSO
0
 
LVL 97

Expert Comment

by:John Hurst
ID: 40344044
If the user has a domain account, nothing really prevents that user from logging in. That is the way it works and that is why attempt to control it breaks SSO.  

I think you have to live with what you have.
0
 
LVL 14

Expert Comment

by:Ben Hart
ID: 40344058
What security group(s) is the auto logon account a member of?  When you attempted the GPO setting the Deny Local Logon rights you weren't inadvertently locking out that account were you?
0
 

Author Comment

by:WellingtonIS
ID: 40344070
The account of auto login are a member of regular domain users - I'm using them like service accounts - the pw doesn't expire.  When I attempt to deny the user local login the SSO doesn't work..   I have generic accounts that need to be the ones on the machines and the users user SSO.
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40344366
The account of auto login are a member of regular domain users
Move either the SSO account or the users to another OU and then deny local logon to the OU that the users belong to.
0
 

Author Comment

by:WellingtonIS
ID: 40344524
Thanks everyone for your comments but unfortunatly none of this is the solution to this problem.  Bottom line is you can not deny the user login locally and have them sign in to an SSO with there own account.
0
 
LVL 97

Expert Comment

by:John Hurst
ID: 40344530
I think you just have to live with your current situation. Ask people not to bypass the log in.
0
 

Author Comment

by:WellingtonIS
ID: 40346735
Well for now you're correct.
0
 

Accepted Solution

by:
WellingtonIS earned 0 total points
ID: 40377005
I have no fix for this so I just added a script for an auto login that loops.
0
 

Author Closing Comment

by:WellingtonIS
ID: 40388481
I created a script for an auto login because there's no way to block a user locally and still have them use a Single Sign On to login too.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question