Re: User Login

For a domain user account to be used to logon at a domain member, that user account must have the "logon locally" right.

Members of the local Administrators, Power Users and Users groups get this right automatically.

By default, the domain group called Domain Users is a member of the local Users group on all computers; this is usually why any domain user can logon at any domin member computer.

So, to prevent a domain user account from being used to logon at a domain member you have some choices:

1. put those user accounts into domain group and apply a GPO to the OU containing the computer accounts that denies the "logon locally" right to that group
Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Deny log on locally - add the group containing the "email only" user accounts.

2. remove the "email only" user accounts from the Domain User group and any group that is a member of Domain Users. Note that when a new domain user account is created, it gets automatically added to the Domain Users group, so you need remove this group from the Member of list for any "email only" user accounts created in the future.

3. remove the Domain Users group from the local Users group on the workstation computers and add a group containing all the user accounts that should be able to logon locally (essentially all users except the "email only" user accouts). You can set the membership of local user groups on domain member computers with a GPO using Restricted Groups (Computer Configuration, Windows Settings, Security Settings, Restricted Groups).


--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Neil" <Neil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:409F25D3-423D-4182-88A1-9791458FB9E9@xxxxxxxxxxxxxxxx
The accounts are currently disabled, but they will be enabled when they link
it to the Email system. So, the purpose of these accounts that are enabled is
for email login only (As, I said earlier, we are not using Exchange) and it
is using its own ldap to sync with AD and the accounts.

Hope this helps!

"Meinolf Weber" wrote:

Hello Neil,

See inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> We have several inactive accounts, and these users use their
> departmental login to logon to the domain.

Are the accounts disabled or in use? This statement is not clear for me.

> We plan to activate these
> accounts for them to logon to their email (not exchange). So, if we
> activate their accounts, they will be able to logon to any computers
> which we do not want to and we would like to restrict these group of
> users not to logon with their own credentials to the domain or to the
> local computer.

If you not allow them to logon to the domain, they can not reach the mail
server of the domain.

> Instead only use this for email login purpose. I hope
> I am clear in this.
>
> thanks again for you earlier response.
>
> "Meinolf Weber" wrote:
>
>> Hello Neil,
>>
>> If i got you correct, they should only be aible to logon to the
>> domain and not to the local machine without the domain? Create and
>> link a GPO to the OU, move the computers there and set:
>>
>> Computer configuration, windows settings, security settings, local
>> policies, security options, in the right pane choose "Interactive
>> logon: Number of previous logons to cache" and set it to "0", so it
>> is disabled.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I am looking to add a set off users in AD to a separate group and
>>> want to restrict these users not to logon to computers since they
>>> logon with departmental login credentials. How can I go about doing
>>> it.
>>>
>>> thanks in advance!
>>>




.

Relevant Pages

  • Re: User Login
    ... the user account will be able to logon remotely even though they ... the domain group called Domain Users is a member of the local ... Users group on all computers; this is usually why any domain user can ... put those user accounts into domain group and apply a GPO to the OU ...
    (microsoft.public.windows.server.active_directory)
  • Re: Users cannot access remote web workplace without admin access
    ... RWW site logon issue ... When we create the user accounts by using the SBS add users ... workstation through the RWW-RDP connection? ... For the RDP access issue, it could be an expected behavior. ...
    (microsoft.public.windows.server.sbs)
  • Re: better way to limit users/group to logon to specific workstati
    ... You can still do it in policy, ... logon locally setting, and apply it to all computers except the ones you ... Workstations" attribute - applying to the user accounts ...
    (microsoft.public.windows.group_policy)
  • Re: Log-on screens
    ... I'm afraid that I have absolutely no "pull" with MS. ... changes to enable automatic logon instead of turning it off. ... >> Welcome screen (in Control Panel -> User Accounts) and are ... >>> restart or start-up, for the computer to auto-load (default ...
    (microsoft.public.windowsxp.security_admin)
  • Re: User Login
    ... the user account will be able to logon remotely even though they can not logon locally. ... the domain group called Domain Users is a member of the local Users group on all computers; this is usually why any domain user can logon at any domin member computer. ... Policies, User Rights Assignment, Deny log on locally - add the group containing the "email only" user accounts. ... You can set the membership of local user groups on domain member computers with a GPO using Restricted Groups (Computer Configuration, Windows Settings, Security Settings, Restricted Groups). ...
    (microsoft.public.windows.server.active_directory)