Re: User Login
- From: Neil <Neil@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 13 Aug 2008 12:31:01 -0700
Hi Bruce,
Thanks for the information, it was very useful and made me understand some
additional concepts. Unfortunately, I did try the steps given below as you
had said, and I removed Domain Users from the local computer group, applied
policy through group policy where only those accounts will be authenticated
to the computers. But, it looks like that it is still allowing the users who
is not supposed to logon to the computer. Not sure anything I am missing. The
only thing I have done is, added this particular group in GPO security
filtering so that only this group gets the deny logon locally privilegs.
Appreciate, further input from your end, but your last input was fantastic.
"Bruce Sanderson" wrote:
For a domain user account to be used to logon at a domain member, that user.
account must have the "logon locally" right.
Members of the local Administrators, Power Users and Users groups get this
right automatically.
By default, the domain group called Domain Users is a member of the local
Users group on all computers; this is usually why any domain user can logon
at any domin member computer.
So, to prevent a domain user account from being used to logon at a domain
member you have some choices:
1. put those user accounts into domain group and apply a GPO to the OU
containing the computer accounts that denies the "logon locally" right to
that group
Computer Configuration, Windows Settings, Security Settings, Local
Policies, User Rights Assignment, Deny log on locally - add the group
containing the "email only" user accounts.
2. remove the "email only" user accounts from the Domain User group and any
group that is a member of Domain Users. Note that when a new domain user
account is created, it gets automatically added to the Domain Users group,
so you need remove this group from the Member of list for any "email only"
user accounts created in the future.
3. remove the Domain Users group from the local Users group on the
workstation computers and add a group containing all the user accounts that
should be able to logon locally (essentially all users except the "email
only" user accouts). You can set the membership of local user groups on
domain member computers with a GPO using Restricted Groups (Computer
Configuration, Windows Settings, Security Settings, Restricted Groups).
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Neil" <Neil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:409F25D3-423D-4182-88A1-9791458FB9E9@xxxxxxxxxxxxxxxx
The accounts are currently disabled, but they will be enabled when they
link
it to the Email system. So, the purpose of these accounts that are enabled
is
for email login only (As, I said earlier, we are not using Exchange) and
it
is using its own ldap to sync with AD and the accounts.
Hope this helps!
"Meinolf Weber" wrote:
Hello Neil,
See inline.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
We have several inactive accounts, and these users use their
departmental login to logon to the domain.
Are the accounts disabled or in use? This statement is not clear for me.
We plan to activate these
accounts for them to logon to their email (not exchange). So, if we
activate their accounts, they will be able to logon to any computers
which we do not want to and we would like to restrict these group of
users not to logon with their own credentials to the domain or to the
local computer.
If you not allow them to logon to the domain, they can not reach the mail
server of the domain.
Instead only use this for email login purpose. I hope
I am clear in this.
thanks again for you earlier response.
"Meinolf Weber" wrote:
Hello Neil,
If i got you correct, they should only be aible to logon to the
domain and not to the local machine without the domain? Create and
link a GPO to the OU, move the computers there and set:
Computer configuration, windows settings, security settings, local
policies, security options, in the right pane choose "Interactive
logon: Number of previous logons to cache" and set it to "0", so it
is disabled.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I am looking to add a set off users in AD to a separate group and
want to restrict these users not to logon to computers since they
logon with departmental login credentials. How can I go about doing
it.
thanks in advance!
- Follow-Ups:
- Re: User Login
- From: Bruce Sanderson
- Re: User Login
- References:
- User Login
- From: Neil
- Re: User Login
- From: Meinolf Weber
- Re: User Login
- From: Neil
- Re: User Login
- From: Meinolf Weber
- Re: User Login
- From: Neil
- Re: User Login
- From: Bruce Sanderson
- User Login
- Prev by Date: access rights
- Next by Date: domain level file share
- Previous by thread: Re: User Login
- Next by thread: Re: User Login
- Index(es):
Relevant Pages
|
