Re: Repost: Local logon and Network Access settings
- From: "Roger Abell" <mvpNOSpam@xxxxxxx>
- Date: Fri, 8 Apr 2005 01:59:06 -0700
Well, you do have reason for finding this not exactly straight-forward
to do, but it is not all that hard.
First, let me say that local and network login are totally separate and
do not interact in and of themselves. Some accesses which one might
think require network login since they are over the wire do in fact
instead require local login user right (front page authoring, remote
desktop, . . .). On the other hand, the network login does not control
all that one might think. This user right is mostly for Microsoft file
and print sharing access. It for example has no impact on connecting
to a number of other services over the network.
What confuses the issue is, as you have mentioned, the use of
Authenticated Users. In the default situation, Authenticated Users
is a member of User on a member machine, and, Users are granted
login rights. What one can do is either take control of the members
of Users on the machine or take control over the groups granted
the logon user right(s).
Say you have an OU SomeOU and also a group SomeUsers of domain
user accounts that should be allowed to log into the machines in SomeOU.
If you make SomeUsers a membr of the machine local Users group,
and remove Authenticated Users and also Domain Users from Users,
then if the login user rights grant to Users, Administrators, and the
few others as required, but not to Authenticated Users or any other
group/built-in that can contain domain accounts, then you will have
effected what you are after.
You can thus define a GPO linked to SomeOU and in it use a
Restricted Group definition for Users if the few machine local
accounts are named the same on every machine. In this GPO
you can also state to what groups the login right(s) are granted.
Just do not forget Administrators in the login rights, and you
should leave Interactive in Users so that you do not have to
list all accounts (like the admins, etc.) as Users members.
The Interactive will be substitued by any account that has logged
in locally (as controlled by that user right) and so will make any
account that can locally log in automatically also a Users member.
There are other variations. Adding SomeUsers to the user right
to login instead of to Users will for example allow them access
as long as Interactive is still in Users. You would still need to
touch the Users group membership to remove Domain Users and
Authenticated Users of course.
The real difficulty comes in dealing with machine local accounts
that are unique on the different machines. If you can get rid of
these they use of GPO to meet your objectives is feasible (as the
GPO will make the user rights and the membership of Users
identically the same of each machine in SomeOU).
--
Roger Abell
Microsoft MVP (Windows Security)
"JJ Runnion" <jjrNOSPAM@xxxxxxxxx> wrote in message
news:OXSv%23VqOFHA.4028@xxxxxxxxxxxxxxxxxxxxxxx
> I posted this a week or so ago, and didn't get a reply so I thought that
I'd
> ask again ...
>
> okay, so i'm really confused and i've spent quite a bit of time reading
the
> MS tech docs etc. but am still not sure I get this.
>
> Re: "Windows Settings\Security Settings\User Rights\Logon Locally" and
> "\Access
> this computer from the network."
>
> I have server 2003 running as the DC and active directory across a single
> domain. My question has to do with how "Logon Locally" works, especially
> with respect to "Access this computer from the network".
>
> I do not want users to be able to login to the local machine with local
> accounts.
> I do not want them to be able to logon to machines that they are not
> supposed to
> be using (in different OUs). The default domain GPO allows authenticated
> users to logon locally and to Access from the network. So, if they have a
> domain user account, then anyone should be able to logon to any computer
to
> which this GPO applies, right?
> So, now I want to restrict who can login to the OUs at a lower level. I
> have my users added
> to security groups based on their need for access. If I change the "allow
> network access" to
> just the correct Security groups, will that do it? (Overwrite the default
> Authenticated Users with specific
> security group). Or do i also need to set Logon Locally?
>
> Does the "Logon Locally" need to be set for all authenticated users? I
know
> this is probably not as complicated as I'm making it, but it's been very
> confusing so if someone can spend a few minutes explaining it in the
> simplest of terms (grin), i'd appreciate it. I've tried to understand it
> based on MS tech references, but to little avail.
>
> j
>
>
> --
> jj runnion
> jjrNOSPAM@xxxxxxxxx
>
>
.
- Follow-Ups:
- Re: Repost: Local logon and Network Access settings
- From: JJ Runnion
- Re: Repost: Local logon and Network Access settings
- References:
- Repost: Local logon and Network Access settings
- From: JJ Runnion
- Repost: Local logon and Network Access settings
- Prev by Date: Re: adm template doesn't work!?
- Next by Date: Deployment tab - an option greyed out
- Previous by thread: Repost: Local logon and Network Access settings
- Next by thread: Re: Repost: Local logon and Network Access settings
- Index(es):
Relevant Pages
|
