Limit domain login to Administrator Group

From: Peter (peter.marshall_at_caris.com)
Date: 01/31/05 

Date: 31 Jan 2005 11:44:09 -0800

Hi,

I have a windows 2000 domain controller. I have a bunch of win2k and
winxp computers as part of the domain.

Currently, each user is a part of their local administrator group on
their own machine (domain admin users are also part of the local
administrator group).

What I am trying to do is set up the network so that only people that
are part of the local administrator group on a particular box as
permitted to log in. I was able to figure out how to make this work
for local users, however, I could not make it work for domain users.

ex. computer name: Computer1
     local account: localuser1
     local account: localuser2
     local account: administrator

The domain has the following user accounts.
     domain account: domainaccount1
     domain account: domainaccount2

Administrator Group on local machine has the following members:
localuser1
domainuser1
domainadmins
administrator

So, what I would like a policy that would meet the following
requirements:
1. localuser1 can login
2. localuser2 can not login
3. domainuser1 can login
4. domainuser2 can not login.

If someone could help me with this I would really appriciate it. I am
trying to prevent users from loging into other peoples workstations in
an attemt to evade security etc.

Thank you again,
Peter

Relevant Pages

  • Re: Listing Users that are Part of the Local Administrator Group
    ... > I'm trying to find/write a script that can return the members of the Local ... > Administrator group on Win 2K/XP machines. ... > computers' local Administrator group. ... I've used a script similar to below to document the local Administrators ...
    (microsoft.public.scripting.vbscript)
  • Re: Client Lockdown
    ... Expand the Local Users and groups. ... domain users from the administrator group and put them in the user group. ... >>> level privileges on their computers. ...
    (microsoft.public.windows.server.sbs)
  • Re: administrator rights for computer
    ... You can not add a user to the domain admin group from their computer. ... the user logging on with their domain account and being administrator of the ... >> Add their domain account to the local administrator group of their ...
    (microsoft.public.win2000.security)
  • Listing Users that are Part of the Local Administrator Group
    ... I'm trying to find/write a script that can return the members of the Local ... Administrator group on Win 2K/XP machines. ... lists the computers in my domain with the Domain users that belong to those ... can't figure out how to pull the users from the local administrator group. ...
    (microsoft.public.scripting.vbscript)
  • Re: Listing Users that are Part of the Local Administrator Group
    ... I have an active directory 2003 domain environment and basically want to be able to generate a text file that lists the computers in my domain with the Domain users that belong to those computers' local Administrator group. ... Very new to Windows scripting, and I can't figure out how to pull the users from the local administrator group. ... fOutFile.WriteLine vbCrlF & "Other accounts:" fOutFile.WriteLine sOthers fOutFile.Close ...
    (microsoft.public.scripting.vbscript)