Re: Restricting Logons with Windows 2000 Server

"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23OR0w8xuHHA.4476@xxxxxxxxxxxxxxxxxxxxxxx
confused <confused@xxxxxxxxx> wrote:
I need to restrict users logons from our XP Pro workstations to our
Windows 2000 Server to particular machines.

Ideally I would like to specify at the workstation level who is
permitted to log on to that workstation but I don't know of any way
to do that.
I know that I can specify which machines a particular user is
permitted to log on to in the user control panel in
ActiveDirectory/Users/UserName/Account(tab)/LogOnTo(button)... But am
not sure if it would apply to a domain administrator and if it would
have any bearing on workgroup computers that are not members of the
Domain?
We have a plain Windows 2000 Server / Windows XP Workstation
configuration with a Post of Sale operating in Workgroup mode running
on the same network. A member server that has a logon with Domain
Administrator rights is used by the Point of Sale system and I see
this as a vulnerability because that user can log on to any user
workstation and do whatever they want.
Any suggestions would be greatly appreciated.

Thank you.

Hmmm. Why is your POS product using a domain admin account to run? This is
the first place I'd start locking things down. There's no conceivable
reason it needs that.

Also, I'm unclear on the configuration of your network - you have AD, but
you also mention a workgroup. You can do a lot of things with group
policy, but they won't affect non-domain-member computers. Can you provide
more detail as to your setup?

Thank you for your reply.

You want more detail... you got it... but quite frankly I think that an
answer to my questions don't warrant the detail and that it will probably
just bore people and overwhelm them with too much information...

The POS system is a workgroup running on the same network and has its own
Windows 2000 Server that is joined to the Domain. The POS Server uses a
domain administrator account so that is can interface with a Property
Management System that requires administrative rights to work. The Property
management system has to be part of the domain so that member Workstations
can use the system while also being connected to the regular Domain file
server.

But I don't think that knowing all that matters. I am just asking these two
things with regard to a Windows 2000 Server and Windows XP workstations:
1) Is there a way at the workstations level to restrict user logons to
particular username and if that restriction would apply to a domain
administrator.
2) If I specify the 'Log On To' workstation list in Active Directory does
that actually restrict logons to workstations for a user accounts that has
Domain Administrators?

Thank you.


.

Loading