Re: Repost: Local logon and Network Access settings
- From: "JJ Runnion" <jjrNOSPAM@xxxxxxxxx>
- Date: Fri, 15 Apr 2005 08:43:43 -0500
Thanx for your excellent explanation!
--
jj runnion
jjrNOSPAM@xxxxxxxxx
"Roger Abell" <mvpNOSpam@xxxxxxx> wrote in message
news:OROJliBPFHA.3072@xxxxxxxxxxxxxxxxxxxxxxx
> Well, you do have reason for finding this not exactly straight-forward
> to do, but it is not all that hard.
>
> First, let me say that local and network login are totally separate and
> do not interact in and of themselves. Some accesses which one might
> think require network login since they are over the wire do in fact
> instead require local login user right (front page authoring, remote
> desktop, . . .). On the other hand, the network login does not control
> all that one might think. This user right is mostly for Microsoft file
> and print sharing access. It for example has no impact on connecting
> to a number of other services over the network.
>
> What confuses the issue is, as you have mentioned, the use of
> Authenticated Users. In the default situation, Authenticated Users
> is a member of User on a member machine, and, Users are granted
> login rights. What one can do is either take control of the members
> of Users on the machine or take control over the groups granted
> the logon user right(s).
>
> Say you have an OU SomeOU and also a group SomeUsers of domain
> user accounts that should be allowed to log into the machines in SomeOU.
> If you make SomeUsers a membr of the machine local Users group,
> and remove Authenticated Users and also Domain Users from Users,
> then if the login user rights grant to Users, Administrators, and the
> few others as required, but not to Authenticated Users or any other
> group/built-in that can contain domain accounts, then you will have
> effected what you are after.
>
> You can thus define a GPO linked to SomeOU and in it use a
> Restricted Group definition for Users if the few machine local
> accounts are named the same on every machine. In this GPO
> you can also state to what groups the login right(s) are granted.
> Just do not forget Administrators in the login rights, and you
> should leave Interactive in Users so that you do not have to
> list all accounts (like the admins, etc.) as Users members.
> The Interactive will be substitued by any account that has logged
> in locally (as controlled by that user right) and so will make any
> account that can locally log in automatically also a Users member.
>
> There are other variations. Adding SomeUsers to the user right
> to login instead of to Users will for example allow them access
> as long as Interactive is still in Users. You would still need to
> touch the Users group membership to remove Domain Users and
> Authenticated Users of course.
>
> The real difficulty comes in dealing with machine local accounts
> that are unique on the different machines. If you can get rid of
> these they use of GPO to meet your objectives is feasible (as the
> GPO will make the user rights and the membership of Users
> identically the same of each machine in SomeOU).
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "JJ Runnion" <jjrNOSPAM@xxxxxxxxx> wrote in message
> news:OXSv%23VqOFHA.4028@xxxxxxxxxxxxxxxxxxxxxxx
>> I posted this a week or so ago, and didn't get a reply so I thought that
> I'd
>> ask again ...
>>
>> okay, so i'm really confused and i've spent quite a bit of time reading
> the
>> MS tech docs etc. but am still not sure I get this.
>>
>> Re: "Windows Settings\Security Settings\User Rights\Logon Locally" and
>> "\Access
>> this computer from the network."
>>
>> I have server 2003 running as the DC and active directory across a single
>> domain. My question has to do with how "Logon Locally" works, especially
>> with respect to "Access this computer from the network".
>>
>> I do not want users to be able to login to the local machine with local
>> accounts.
>> I do not want them to be able to logon to machines that they are not
>> supposed to
>> be using (in different OUs). The default domain GPO allows authenticated
>> users to logon locally and to Access from the network. So, if they have
>> a
>> domain user account, then anyone should be able to logon to any computer
> to
>> which this GPO applies, right?
>> So, now I want to restrict who can login to the OUs at a lower level. I
>> have my users added
>> to security groups based on their need for access. If I change the "allow
>> network access" to
>> just the correct Security groups, will that do it? (Overwrite the
>> default
>> Authenticated Users with specific
>> security group). Or do i also need to set Logon Locally?
>>
>> Does the "Logon Locally" need to be set for all authenticated users? I
> know
>> this is probably not as complicated as I'm making it, but it's been very
>> confusing so if someone can spend a few minutes explaining it in the
>> simplest of terms (grin), i'd appreciate it. I've tried to understand it
>> based on MS tech references, but to little avail.
>>
>> j
>>
>>
>> --
>> jj runnion
>> jjrNOSPAM@xxxxxxxxx
>>
>>
>
>
.
- References:
- Repost: Local logon and Network Access settings
- From: JJ Runnion
- Re: Repost: Local logon and Network Access settings
- From: Roger Abell
- Repost: Local logon and Network Access settings
- Prev by Date: Re: GPO applies to users when ...
- Next by Date: Re: Removing default "authenticated users" when creating group policies
- Previous by thread: Re: Repost: Local logon and Network Access settings
- Next by thread: User policy based on Machine
- Index(es):
Relevant Pages
|
