Re: How to deny Access at Clients?

From: Renee Geffre [ MSFT] (reneeg_at_online.microsoft.com)
Date: 05/15/04 

Date: Sat, 15 May 2004 19:37:50 GMT

Hi Heiner:

Thank you for using Microsofts Small Business Server newsgroups. I
understand that you want to lock a workstation down so that only two people
can access it. You can use the Local Security Settings under
Administrative Tools on the XP client to Deny Access to Log on Locally to
particular users however some Domain Policies will always override Local
policies. It is also necessary to be very careful setting Deny
permissions. It is best not to use groups such as Domain Users due to
nested permissions that can end up denying anyone access to the computer.
It would be best to deny each user individually. You can also deny the
domain Administrator account (the built in Administrator account on the
server not the Domain Admins group) the ability to log on Interactively,
which will prevent them from logging in using Terminal Services.

I would not recommend denying the local Administrator account on the XP
workstation log on rights. You can set a complex password on that account
and not give it out, in essence this would only be used for you to log in
to work on the system as needed.

Best Regards,

Renee Geffre, Windows 2000 MCSE, MCSA
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security

========================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

========================================================
This posting is provided "As Is" with no warranties, and confers no rights.

Relevant Pages

  • Re: Changing workstation Admin password through AD
    ... bouncing every member server and workstation monthly is not practical. ... GPO/startup script method... ... Windows Server MVP - Directory Services ... Change the password to the Administrator account ...
    (microsoft.public.win2000.active_directory)
  • RE: ISA Rules
    ... DENY ... > workstation as a USER so all we can do is deny access to the USER-Workstation. ... >>> good measure the individual has been added as an exception to the SBS ... >>> internet allow rule. ...
    (microsoft.public.isa)
  • Re: Changing workstation Admin password through AD
    ... Anyone who can get to power user or admin level on a workstation will have a path to get that batch file and anyone with physical access to a machine can get admin regardless of what their "official" access level is. ... Change the password to the Administrator account ... I know how to rename the administrator's account, but how can I do the ...
    (microsoft.public.win2000.active_directory)
  • Local policy does not permit you to logon interactively
    ... I had a Windows 2000 Workstation ... Windows 2000 server and I wasn't the person who configured it initially. ... not even the local administrator account (which had been working before ... I REALLY don't want to reload this system and I need to find ...
    (microsoft.public.win2000.networking)
  • Cant login
    ... Stupidly and not really paying attention to what I was ... DOMAIN (aka how you change a name on a W2K workstation). ... ADMINISTRATOR account on the workstation does not have ... Is there a way to reset that password or something that ...
    (microsoft.public.win2000.security)