Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Limit User to one machine

Status
Not open for further replies.
AcornD

AcornD

IS-IT--Management
May 22, 2002
37
GB
Is there a way that you can limit one machine on the domain to be accessable to only one person while all the others in the domain are accessable to everyone including the above person.

i.e Network technicians machine cannot be logged onto by anyone else in school but him but he can logon to every other machine in school
 
Sort by date Sort by votes
Edit the "Allowed to logon locally" rights on that machine and remove Domain Users. Add the user you want to be able to log on explicitly.

You will find this setting on the local PC under User Rights Assignment in the local Group Policy.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
You can also do this centrally by using Active Directory Users and Computers, editing each User properties page, and click the LOGON TO button. This will enable you to limit each user to one PC.

You can also manage which groups/users can access which PCs by going into the OU such as Client Computers (or you can create your own by department, location, etc.) Right-click the Organizational Unit and use the Security tab and the group policy tab to control access to all the computers in that OU.

Hope this helps. I've found it's ususally easier to manage group policies centrally than each machine's local policy.
 
Upvote 0 Downvote
I would agree that it is best practice to centrally manage this. Main thing here though is that AcornD wants to restrict all users from logging into a single machine. If you use the Logon To property, AcornD would need to add every OTHER workstation into the list for every user (provided the desire is for the users to be able to continue to log in anywhere else). That would be a much WORSE management scenario.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
(I love a good technical debate.) You're absolutely right, if you use the logon to property to ALLOW access to all PCs, instead of using it to LIMIT access. But, unless I'm mistaken (because I haven't tried it), you should be able to create an organizational unit called User PCs. You give the group "Technicians" all access to those PCs, you can delete "Domain Users" from those PCs, etc. Then, you use the "logon to" property on only those users you want to limit to one PC.

Let me know if this doesn't work. The local policy will do the trick too, but I usually try to stay away from local policies in general.
 
Upvote 0 Downvote
I like your solution there. All depends on whether or not AcornD can move this one PC into another OU or not depending on what policies are already in place and might need to be moved or duplicated etc. Not knowing the politics or rest of the environment, I think we are limited to very general solutions.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
That's right: there's more than one way to skin a cat. (And if they don't work, you can always beat him against a wall a few times just for giggles.)

Good luck, I'm out.
 
Upvote 0 Downvote
Interesting side effect of restricting "log on to" in the user's account in Active Directory: The user will not be able to connect to Outlook Web Access on an Exchange server with their own account--500 Internal Server Error is returned...
 
Upvote 0 Downvote
In my case, I'd like to limit each user to his/her computer only. However, I don't see a clean way to do this without creating an individual GPO and OU (or security group) for each computer. As I mentioned above, setting the restriction in ADUC also locks the user out of OWA. I feel like I'm missing something simple here.

In our environment, each computer name is identical to the user's name (not a great security practice, but nonetheless). Is there any method of specifying the user or computer accounts to be restricted to their counterparts by name-matching? For instance, I tried entering "%username%" into the computer list for all users in ADUC on the long shot this would only allow each user to logon to a computer named the same as their username. Not surprisinly, this did not work.
 
Upvote 0 Downvote
Incidentally, add the Exchange server to the list of computers the user is permitted to log on to does not restore access to OWA...
 
Upvote 0 Downvote
Dimarc67,

One way you could lock down the machines to the specific user you wanted would be to use a startup script to do it. Something like this:

Code: 
'==========================================================================
'
' NAME: RestrictedLogon.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.TheSpidersParlor.com[/URL]
' COPYRIGHT (c) 2005 All Rights Reserved
' DATE  : 9/25/2005
'
' COMMENT: Assumes the PC name is equal to the user name that is allowed to log on to the PC
'
'==========================================================================
On Error Resume Next
Dim WSHShell, WSHNetwork, Partition, Partitions

Set WSHShell = CreateObject("WScript.Shell")
Set WSHNetwork = CreateObject("Wscript.Network")
pcName = WSHNetwork.Computername

Set Partitions = GetObject("LDAP://CN=Partitions,CN=Configuration," & _
GetObject("LDAP://RootDSE").Get("DefaultNamingContext"))
On Error Resume Next
For Each Partition In Partitions
strDomain = Partition.Get("nETBIOSName")
If Err.Number = 0 then Exit For
Next
Set Partitions = Nothing

Call WSHShell.Run(net localgroup users " & strDomain & "\" & pcName & " /add")
Call WSHShell.Run(net localgroup users " & strDomain & "\Administrator" & " /add")
Call WSHShell.Run(net localgroup users " & strDomain & "\Domain Admins" & " /add")
Call WSHShell.Run(net localgroup users " & strDomain & "\Domain Users" & " /remove")

In a nutshell what this script does is first finds the domain name and the pcname (which is assumed to be the allowed user name).

We add to the local users group the Domain Admin ID, the Domain Admins Group and the Domain User account that matches the PC name. We then Remove the Domain Users from the list of local users which should be sufficient to prevent these users from logging into the PC. You may need to see if there are any other groups that needed to be added or removed from the local users, power users and administrators groups to be safe.

Apply this script as a startup script in an AD GPO. That should do it once the policy is refreshed on the PC and the PC is rebooted.

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Hi, Mark.

Thank you very much for this. I'd prefer to have central control, but your solution is perfectly workable and I'd like to implement.

Looks like I'm running up against some small errors in your code however. Couple of them I was able to correct easily--a double-quote (") is needed in front of each net command, and the "/remove" switch needs to be changed to "/delete".

The last error requires a little syntax with which I'm not familiar. Because the group names "Domain Admins" and "Domain Users" contain a space, the domain name and group name need to be enclosed in double-quotes in the command line. What's the vbs syntax to include the double-quote character in the string?

Thank you!

David Marcus
Dimarc67
 
Upvote 0 Downvote
Figured out it's easier to write the script in batch:

Code: 
@echo off
rem filename: LocalUserGroupChanges.bat
net localgroup users %userdomain%\%computername% /add
net localgroup users %computername%\Administrator /add
net localgroup users "%userdomain%\Domain Admins" /add
net localgroup users "%userdomain%\Domain Users" /delete

The batch script does just what it's supposed to do, but I'm not sure it's the result I'm looking for. In testing the result, any domain user is still able to log on to the system, even without "Domain Users" in the local Users group.

Now that I think about it, the local Users group is only ever discussed when it comes to limiting administrator privileges on the local computer. To my knowledge, a user does not need to be listed in ANY local group to be able to log on with a domain account, so long as the computer is a member of the domain. Can't say what privileges they'll have, but they'll be able to log on.

This brings me back to my original inquiry, which is determining a method to restrict users to logging on to only their own system. As I mentioned previously, using the "Log On To..." dialog on the Account tab in the User Properties in ADUC to restrict by computer name which computer will accept the account for logon seems to also lock the user out of Outlook Web Access on the Exchange server (even if the Echange server is added to the computer list).

Any other suggestons (or corrections of incorrect assumptions on my part)?

Thanks.

Dimarc67
 
Upvote 0 Downvote
Take a look at the local security policy. It will show you all of the accounts that are permitted to log onto the PC.

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
801
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
597
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
709
microsGuy16
microsGuy16
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
317
penguinroundup
penguinroundup
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
373
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top