Re: User Login
- From: Neil <Neil@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 14 Aug 2008 13:40:01 -0700
Bruce,
Yes, it worked. I think, I was following all your three steps and later on
caught on with your updated posting. Thanks a ton.
thanks again! It was very helpful.
"Bruce Sanderson" wrote:
If you allow users to logon remotely (i.e. using Remote Desktop Connection),.
and you are using the GPO setting I suggested in item #1, you probably want
to also specify the same group in the "Deny log on through Terminal
Services" User Rights Assignment setting.
Otherwise, the user account will be able to logon remotely even though they
can not logon locally (i.e. at the computer's console).
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message
news:OOSebql%23IHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
For a domain user account to be used to logon at a domain member, that
user account must have the "logon locally" right.
Members of the local Administrators, Power Users and Users groups get this
right automatically.
By default, the domain group called Domain Users is a member of the local
Users group on all computers; this is usually why any domain user can
logon at any domin member computer.
So, to prevent a domain user account from being used to logon at a domain
member you have some choices:
1. put those user accounts into domain group and apply a GPO to the OU
containing the computer accounts that denies the "logon locally" right to
that group
Computer Configuration, Windows Settings, Security Settings, Local
Policies, User Rights Assignment, Deny log on locally - add the group
containing the "email only" user accounts.
2. remove the "email only" user accounts from the Domain User group and
any group that is a member of Domain Users. Note that when a new domain
user account is created, it gets automatically added to the Domain Users
group, so you need remove this group from the Member of list for any
"email only" user accounts created in the future.
3. remove the Domain Users group from the local Users group on the
workstation computers and add a group containing all the user accounts
that should be able to logon locally (essentially all users except the
"email only" user accouts). You can set the membership of local user
groups on domain member computers with a GPO using Restricted Groups
(Computer Configuration, Windows Settings, Security Settings, Restricted
Groups).
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Neil" <Neil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:409F25D3-423D-4182-88A1-9791458FB9E9@xxxxxxxxxxxxxxxx
The accounts are currently disabled, but they will be enabled when they
link
it to the Email system. So, the purpose of these accounts that are
enabled is
for email login only (As, I said earlier, we are not using Exchange) and
it
is using its own ldap to sync with AD and the accounts.
Hope this helps!
"Meinolf Weber" wrote:
Hello Neil,
See inline.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
We have several inactive accounts, and these users use their
departmental login to logon to the domain.
Are the accounts disabled or in use? This statement is not clear for me.
We plan to activate these
accounts for them to logon to their email (not exchange). So, if we
activate their accounts, they will be able to logon to any computers
which we do not want to and we would like to restrict these group of
users not to logon with their own credentials to the domain or to the
local computer.
If you not allow them to logon to the domain, they can not reach the
server of the domain.
Instead only use this for email login purpose. I hope
I am clear in this.
thanks again for you earlier response.
"Meinolf Weber" wrote:
Hello Neil,
If i got you correct, they should only be aible to logon to the
domain and not to the local machine without the domain? Create and
link a GPO to the OU, move the computers there and set:
Computer configuration, windows settings, security settings, local
policies, security options, in the right pane choose "Interactive
logon: Number of previous logons to cache" and set it to "0", so it
is disabled.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I am looking to add a set off users in AD to a separate group and
want to restrict these users not to logon to computers since they
logon with departmental login credentials. How can I go about doing
it.
thanks in advance!
- References:
- User Login
- From: Neil
- Re: User Login
- From: Meinolf Weber
- Re: User Login
- From: Neil
- Re: User Login
- From: Meinolf Weber
- Re: User Login
- From: Neil
- Re: User Login
- From: Bruce Sanderson
- Re: User Login
- From: Bruce Sanderson
- User Login
- Prev by Date: Re: Netlogon Error Causes RDC to Fail Until After Local Logon?
- Next by Date: Re: Is there a way to get all the policy configurations for AD
- Previous by thread: Re: User Login
- Next by thread: Security on roaming profiles
- Index(es):
Relevant Pages
|
