Track Locally Logged on User

[Nutthick]

I have a customer that has their server box in the main office (I know it's not secure, but that's the only option they have). No one should be touching it, but one of the accounts has been logging in locally, which I want to stop. The only way I have worked this out is the 'My Desktop' folder structure was created on the drive. I've checked the log and cannot tell the difference between local and VPN started sessions. Is there any way to do the following:

1. Stop certain users being able to log on locally

2. Find out when the user logged on locally, I couldn't tell the difference through the security log.

3. Track what the user is doing when they log on, to see what they are looking at etc.

Thanks

 

[pytchley]

Look in the default domain group policy and deny selected users access to log on locally.

 

[Nutthick]

The server isn't on a domain, as it seemed a bit of overkill for their type of setup. Is there an equivalent for non-domain users?

 

[Solemn]

You can prevent a certain user from logging in locally to the server by editing the servers local computer policy.

Open the group policy editor (gpedit.msc, if I remember correctly) from c:\winnt\system32. Using the editor, go to path "Computer configuration/Windows settings/Security settings/Local policies/User rights assignment".

There you see the policy "Deny logon locally". Just put the user(s) or group(s) there that you want to deny the logging ability.

You can also set the auditing of logins so that you can see them from event viewer. That is done at the GP editor one up from previous, at "Audit policy" modifying the "Audit account logon events" to audit successful logins.
Though I think that it will put all successful logins to event viewer, remote or local.

---
Can YOU put Finland on the map?