Re: Is this a GPO setting or not?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 08/21/04 

Date: Sat, 21 Aug 2004 04:00:10 GMT

You can control who logs onto a computer with the user right for logon locally
that is found in the Local Security Policy [secpol.msc] under security
settings/local policies/user rights. This can also be configured at the domain
or OU level via a GPO at those levels. I am not quite sure about your
requirements but for instance you can configure a computer to only allow domain
users and administrators to logon to it which would not allow any "local" user
to logon to that is not in the local administrators group. --- Steve

"Charles" <mentaldrowremovethis@gimail.af.mil> wrote in message
news:277101c4866f$a0efd2e0$a301280a@phx.gbl...
> I'm trying to duplicate a setting on a few of the
> machines I manage that will prevent users from logging
> into the machines unless I go through the Users and
> Passwords Control Panel item or Local Groups and User MMC
> snap-in and give them permission to logon to the
> machine. They initially have to be input into the
> machine this way with Admin access to the machine and
> then bumped down to a lower permissions level. If their
> profiles aren't manually added in this manner they get a
> message like this. "Cannot copy C:\Documents and
> Settings\Default User\Favorites\<insert url here> to
> C:\DOcuments and Settings\<insert User Name
> here>\Favorite\... etc" with a countdown time at the
> bottom. At the time out they get another message that
> basically tells them to contact the Network Admin because
> their profile could not be created on the machine. I
> don't have much authority over the User Domain accounts
> so I can't add them to specific OU except at the Local
> machine level but I have complete control over the
> machines themselves. Is this something that can be done
> via the GPO or Local Security Settings? Is there another
> MMC snap-in that I can use to duplicate this setting?
> This is the only way I've found so far to prevent users
> from logging into certain machines. The previous Network
> Admin can't remember what he did to activate this so I'm
> pretty much on my own. Thanks in advance for any and all
> help.
>
> Charles

Relevant Pages

  • Re: how to get two accounts to point to the same ftp directory with different permissions
    ... xyz and xyz_admin_user to logon to the same directory. ... the xyz_admin_user directory created in, the user cannot logon. ... \ftproot (Admin FULL CONTROL) ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Configuring FormsAuthentication from code
    ... In the logon page you have programmatic control, ... Each customer installs iis on their own server. ... Different "modes" need different logon pages. ... control FormsAuthentication form software, I have to tell then to ALSO ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: NT logon to Windows 2003 domain
    ... Control Panel, click Administrative Tools, and then click Local Security ... Microsoft Online Partner Support ... NT logon to Windows 2003 domain ... |> Logon service at this server. ...
    (microsoft.public.windows.server.migration)
  • Re: Some DVDs will not play
    ... I have done that and it only lets me logon as owner, ... "Mark L. Ferguson" wrote: ... This should give you full control for editing. ... A Boot to Safe Mode might let you change the DVD sharing settings in its ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Need advice: GPO practice for member servers
    ... We want to control the following rights ... Allow logon via TS ... Suppose that I make one basic GPO for all member servers that works as ... IMHO, GPOs are best suited for making identical changes to large numbers of systems simultaneously, and then enforcing those settings. ...
    (microsoft.public.windows.server.active_directory)