Re: how to create domain policy to restrict users ???
- From: "Kresna Rudy K" <KresnaRudyK@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 5 May 2005 21:54:01 -0700
Hi Bruce,
What do you suggest, I have done it already.
It seems, not everything can be done via gpo...
Regards,
"Bruce Sanderson" wrote:
> As I said, if there are NO local user accounts, no one can logon "locally",
> so just don't create any local user accounts.
>
> Re. your "one ore question" - That's a question of which (domain) user
> accounts are members of Local groups. By default, the group Domain Users
> gets added to the local Users group. If you remove Domain Users from the
> local Users group, then only those user accounts or Domain groups that are
> specifically added to the local Users group (or that are members of other
> local groups such as Administrators or Power Users) will be able to logon at
> that workstation.
>
> You can populate local groups on workstations using the Restricted Groups in
> a GPO. However, to control who can logon on to particular wokrstations
> using GPOs probably means creating seperate OUs and GPOs linked to them,
> which could be a lot of OUs and GPOs.
>
> In most cases, there is not really a good reason to restrict particular
> users to logging on only at particular workstations. Howerver if you do
> have such a reason, then I suggest populating the local Users (or Power
> User, or Administrators as appropriate) manually on each workstation.
>
> --
> Bruce Sanderson MVP Printing
> http://members.shaw.ca/bsanders
>
> It is perfectly useless to know the right answer to the wrong question.
>
>
>
> "Kresna Rudy K" <KresnaRudyK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:71C43CB5-9DA5-45B3-87A5-807C191C8527@xxxxxxxxxxxxxxxx
> > Hi Bruce
> > Yes, you are correct, I want to prevent user to use local user to login in
> > workstation.
> > It is a good idea to disable local user, so user have to use domain user
> > to
> > login in their workstation.
> >
> > One ore question :
> > How to prevent domain user to login in specific workstation ?
> > For example : user1 only can login in workstation1 but user1 cannot login
> > in
> > workstation2. Is it possible ???
> >
> >
> > Thanks...
> >
> >
> > "Bruce Sanderson" wrote:
> >
> >> I'm not sure I completely understand your situation and what you are
> >> asking.
> >> So, I've attempted to provide some information in this post based on what
> >> I
> >> have interpreted from your posts. Sorry if I'm off base and you already
> >> know all this stuff. Futher, I'm assuming you have Windows XP
> >> Professional
> >> (Home can not join a Domain, so this discussion is not relevant to XP
> >> Home).
> >>
> >> A "Domain user account" is always a "Domain user account". That is, in
> >> the
> >> logon panel (the one that appears after the user presses Ctrl+Alt+Del),
> >> to
> >> use a Domain User Account, the user MUST select the Domain Name, not the
> >> local Computer Name in the third box (the Log onto: box). If the user
> >> selects the Computer Name in the Log on to: box, but supplies a Domain
> >> Username and password, the login attempt will fail.
> >>
> >> When the Log on to: box specifies the Domain Name, the local computer
> >> will
> >> not attempt to "authenticate" the user (verify the credentials) but will
> >> send the username and password to a Domain Controller in the identified
> >> Domain to do the authentication.
> >>
> >> When the Log on to: box is set to the local Computer name, the local
> >> computer will attempt to authenticate the user against its own, local
> >> security "database". Domain user accounts can NEVER be authenticated in
> >> this situation.
> >>
> >> This is true even when the Domain User Account is specifically a member
> >> of a
> >> Local Group on the computer. I guess this is where I don't understand
> >> your
> >> item # 2.
> >>
> >> The only way a user can logon using a non-Domain user account is if there
> >> is
> >> in fact a non-Domain user account defined on that computer. So, if you
> >> don't want users to use local computer accounts, don't create any on the
> >> workstation computers. Also, don't add the Domain User account (or a
> >> Domain
> >> Group that the user is a member of) to the local Administrators group -
> >> such
> >> a use could create their own Local account.
> >>
> >> If, on a workstation computer you use Computer Management, System Tools,
> >> Local User and Groups, Users and ADD a user account, this is a Local user
> >> account even if the username is identical to the username of a Domain
> >> User
> >> account. You really don't want to do this becuase it will be confusing -
> >> you have two completely independent user accounts with the same name. If
> >> you have this situation, change the password on either the Local user
> >> account or the Domain account so that they are different. Then, you can
> >> verify that the Domain user account only works when the Domain Name is
> >> selected in the Log on to: box and the Local user account only works when
> >> the Computer Name is so selected.
> >>
> >> In most cases, there is no need and it is undesireable to have individual
> >> Domain User accounts as members in Local Groups on computers. Usually,
> >> one
> >> would use a Group from the Domain rather than individual user accounts.
> >>
> >> With a GPO, you can control which User Accounts can actual logon at a
> >> given computer. There are two related settings, both in Computer
> >> Configuration, Windows Settings Security Settings, Local Policies, User
> >> Rights Assignment. These settings are:
> >>
> >> Allow log on locally
> >> Deny log on locally
> >>
> >> If you Enable Allow log on locally, you must specify all the groups (or
> >> individual user accounts) that you want to have this right - all other
> >> accounts won't be able to logon.
> >>
> >> If you Enable Deny log on locally, you can specify that specific user
> >> accounts or groups that are to be Denied this right. If a given user
> >> account
> >> (possibly by virtue of Group membership) is in both the "Allow" and
> >> "Deny"
> >> lists, the Deny takes precedence.
> >>
> >> Normally, you would put Domain User accounts or Groups in these settings.
> >> However, you can but unqualified names in them. Then, if a Local User
> >> account's username matches that unqualified name, that Local User account
> >> will be denied local logon. There is no way that I know of to specify
> >> Local
> >> Group names or "all Local User Acounts".
> >>
> >> An explanation of these settings is available in the Group Policy
> >> Editor's
> >> Help (Help, Help Topics, Security Settings, Concepts, Security Settings
> >> Description, Local Policies, User Rights Assignment).
> >>
> >> Be very careful with these because you can end up preventing anyone,
> >> including Administrators from logging on at all!
> >>
> >> But, only user accounts that are members (directly or
> >> indirectly) of the Administrators group on the computer can create Local
> >> User accounts or adjust the membership of Local groups. So, if you don't
> >> make users Administrators on the workstations, they can't create Local
> >> User
> >> accounts and thus you have prevented them from logging on using Local
> >> User
> >> accounts (unless they know the password of the Local Administrator user
> >> account!) without any GPO at all. This is the usual approach.
> >>
> >> --
> >> Bruce Sanderson MVP Printing
> >> http://members.shaw.ca/bsanders
> >>
> >> It is perfectly useless to know the right answer to the wrong question.
> >>
> >>
> >>
> >> "Kresna Rudy K" <KresnaRudyK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:A73FBECD-9331-45DA-836D-13D44B2E6DDF@xxxxxxxxxxxxxxxx
> >> > Hi Bruce,
> >> >
> >> > Thanks for your answer...
> >> >
> >> > For item no 2, I explain to you the situation, I create user account in
> >> > domain controller and I put it in local group, now user have 2 option
> >> > (after
> >> > users restart their pcs),
> >> > user can login local (this computer) or login to doman controller (eg
> >> > WINDC).
> >> >
> >> > I donot want users to login local (this computer), they must login to
> >> > domain
> >> >
> >> > Is it possible ???
> >> >
> >> > Regards,
> >> >
> >> >
> >> > "Bruce Sanderson" wrote:
> >> >
> >> >> You can use the Restricted Groups policy (Computer Configuration,
> >> >> Windows
> >> >> Settings, Security Settings, Restricted Groups) to set local group
> >> >> membership on workstations (see
> >> >> http://support.microsoft.com/?id=810076).
> >> >> User accounts that are only members of the Local Users group can not
> >> >> "install" software.
> >> >>
> >> >> Unless a user's account is a member of one of the Local Groups (e.g.
> >> >> Administrators, Power Users, Users), they won't be able to logon
> >> >> locally.
> >> >> If a user can not logon locally, they won't be able to use their
> >> >> workstation
> >> >> at all, so I don't quite understand what you are attempting to
> >> >> accomplish
> >> >> with your item 2. By default, the Domain Group "Domain Users" is
> >> >> added
> >> >> to
> >> >> the Local Group called "Users" on Windows XP computers, but you can
> >> >> remove
> >> >> the Domain Users group if you want. By default ordinary "Users" can
> >> >> not
> >> >> logon to Domain Controllers locally.
> >> >>
> >> >> --
> >> >> Bruce Sanderson MVP Printing
> >> >> http://members.shaw.ca/bsanders
> >> >>
> >> >> It is perfectly useless to know the right answer to the wrong
> >> >> question.
> >> >>
> >> >>
> >> >>
> >> >> "Kresna Rudy K" <KresnaRudyK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> >> >> message
> >> >> news:5005BA04-26EF-4DC0-917D-4EDC4B53FC93@xxxxxxxxxxxxxxxx
> >> >> > Hi,
> >> >> >
> >> >> > I have win2003 as domain controller and 100 pc with win XP.
> >> >> >
> >> >> > My questions are :
> >> >> >
> >> >> > 1 : How to create domain policy to prevent users to install software
> >> >> > ?
> >> >> > (ofcourse only admin can install new software)
> >> >> > 2 : How to create domain policy to prevent users to login locally ?
> >> >> > 3 : Is it possible to disable floppydisk and cdrom via domain policy
> >> >> > ?
> >> >> >
> >> >> > please help ....
> >> >> >
> >> >> > Thanks...
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
> >>
>
>
>
.
- References:
- Re: how to create domain policy to restrict users ???
- From: Bruce Sanderson
- Re: how to create domain policy to restrict users ???
- Prev by Date: Re: NoAddressBar
- Next by Date: Re: Windows 2003 Server, access denied to install security patches
- Previous by thread: Re: how to create domain policy to restrict users ???
- Next by thread: Re: How is it possible to disable roaming profiles on workstations
- Index(es):
Relevant Pages
|
