RE: Create user that dont have access to domain
From: Allen Firouz (AllenFirouz_at_discussions.microsoft.com)
Date: 01/21/05
- Next message: Allen Firouz: "RE: Create user that dont have access to domain"
- Previous message: Douglas H. Quebbeman: "Re: Need Help with Odd LDAP Error, NCSecDesc Failure running DCDIAG"
- In reply to: Steve: "RE: Create user that dont have access to domain"
- Next in thread: Allen Firouz: "RE: Create user that dont have access to domain"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 21 Jan 2005 10:49:03 -0800
Steve:
I am very familiar with the needs of healthcare organizations (I worked the
field for over 8 years). If you are talking about PCs in public areas, the
easiest solution is to make the PC autologin using a network ID (steps are
listed below) and then restrict network object access using the GPO. If you
want to be super clean, you can create a list of trusted sites and only allow
the user to access those sites from the PC (this is the preferred method) and
it retains security.
To enable autologin:
You can use Registry Editor to add your log on information. To do this,
follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
3. Using your account name and password, double-click the DefaultUserName
entry, type your user name, and then click OK.
4. Double-click the DefaultPassword entry, type your password under the
value data box, and then click OK.
If there is no DefaultPassword value, create the value. To do this, follow
these steps:
a. In Registry Editor, click Edit, click New, and then click String Value.
b. Type DefaultPassword as the value name, and then press ENTER.
c. Double-click the newly created key, and then type your password in the
Value Data box.
If no DefaultPassword string is specified, Windows XP automatically changes
the value of the AutoAdminLogon registry key from 1 (true) to 0 (false) to
turn off the AutoAdminLogon feature.
5. Double-click the AutoAdminLogon entry, type 1 in the Value Data box, and
then click OK.
If there is no AutoAdminLogon entry, create the entry. To do this, follow
these steps:
a. In Registry Editor, click Edit, click New, and then click String Value.
b. Type AutoAdminLogon as the value name, and then press ENTER.
c. Double-click the newly created key, and then type 1 in the Value Data box.
6. Quit Registry Editor.
-Allen Firouz
"Steve" wrote:
> Hi Allen,
>
> Thanks for your reply and insight. I work in a Healthcare facility with
> a huge number of nurses and what I do is have a generic logon for our nurses
> that is locked down very tightly. They dont have access to the c drive, cant
> browse the network, etc., and everything is locked down very tight via group
> policy in Active Directory. The only thing they they are able to do is open
> the icons on there desktop. They do have there own personal login user names
> and passwords for those specific programs that require them to change on a
> regular basis for those specific purposes.
>
> "Allen Firouz" wrote:
>
> > Steve:
> >
> > How are you locking down the PC's? Through a GPO or local policy?
> >
> > It is not a good idea to have generic logins in any environment. That being
> > said and out of the way, your best bet is to creat an OU for the account and
> > apply a very restrictive GPO that restricts their access to browsing and
> > accessing network resources. If you have specific machines that need that
> > login, put the PCs in that OU as well and apply policy restictions on the
> > machine as well as the user policies. Without knowing how restrictive you
> > want it to be, it is hard to recommend GPO settings. Here are some useful
> > links:
> > GPO Setting overview and links:
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322143
> > Restricting software using GPO (including access control)
> > http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
> > Local policy settings for Windows XP:
> > http://www.microsoft.com/downloads/details.aspx?FamilyID=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en
> >
> > Hope that helps.
> >
> > -Allen Firouz [MentalFloss]
> >
> > "Steve" wrote:
> >
> > > Hello,
> > >
> > > I have a program that uses Active Directory to authenticate the user to
> > > have access to that particular program. What I have set up in my environment
> > > is a generic login to these computers that is in a locked down state for
> > > security reasons. What I want to do is create a user that will pass
> > > authentication for this program via Active Directory but NOT allow them to
> > > log into the machine itself on the domain. I want the generic account with
> > > the locked down state logged in at all times. Any advice? Change permissons
> > > somewhere? Create a policy?
- Next message: Allen Firouz: "RE: Create user that dont have access to domain"
- Previous message: Douglas H. Quebbeman: "Re: Need Help with Odd LDAP Error, NCSecDesc Failure running DCDIAG"
- In reply to: Steve: "RE: Create user that dont have access to domain"
- Next in thread: Allen Firouz: "RE: Create user that dont have access to domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
