Deny logon locally

Discussion in 'Active Directory' started by Kim K, Apr 22, 2009.

  1. Kim K

    Kim K Guest

    Some guidance please. I have had a request to make the computers in a small
    office domain to deny access to all other users except the computer owner.
    IN otherwards only the one person (and domain admins) should ever be able to
    login to their computer. I have not seen this but read about deny logon
    locally, (Computer Configuration\Windows Settings\Security Settings\Local
    Policies\User Rights Assignment) however can someone tell me if this is
    pretty straight forward as I think I read that this is somehwat backwards
    sounding. Also do I need to enable loopback? All my computers are in a
    computer OU.
     
    Kim K, Apr 22, 2009
    #1
    1. Advertisements

  2. Kim K

    Marcin Guest

    Kim,
    the complexity comes from the fact that you want each computer to have a
    different setting. This means essentially that each of your computers would
    need to have a different user right assignment - which is just tedious to
    configure (although no loopback is needed, since this is a computer
    setting). In addition, you should review
    http://support.microsoft.com/kb/823659 - and test this configuration to
    ensure that it does not have any undesired side effects.

    hth
    Marcin
     
    Marcin, Apr 22, 2009
    #2
    1. Advertisements

  3. Marcin, wouldn't the "Log On To" feature under the AD user properties,
    Account Tab, and specifying a specific workstation do the trick for the
    poster?

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 22, 2009
    #3
  4. Hello Kim,

    As Ace said, you can go to users properties, Account, Logon to, and then
    specified the computer that you want user to use and then for Administrator
    account just leave default that is logon to all computers. I hope you don't
    have that many users then it will be quite a tedious task to finish..
     
    Isaac Oben [MCITP,MCSE], Apr 22, 2009
    #4
  5. Howdie!
    I think that would solve the issue. By populating the attribute with a
    script (read from an Excel sheet or something similar), one could
    restrict users to their machines in a pretty smart way.

    Though I think that a general lock down of users to one/two machines
    only takes their flexibility - there will be individuals that won't
    accept this "restriction" I guess.

    Cheers,
    Florian
     
    Florian Frommherz [MVP], Apr 22, 2009
    #5
  6. Hello Kim,

    Open AD users and computers, go to the user account properties, account tab
    and configure "Logon to". In basic you take away one advantage of a domain,
    where all users can logon on any computer.

    If your reason is data security you should create a network share on a server
    and configure that one with security groups and NTFS permissions, so you
    have a central point for backup and the user machines are still fleibel to
    use.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 22, 2009
    #6
  7. Kim K

    Kim K Guest

    GOod morinng everyone and thanks for the wonderful feedback!

    The reason for this lock down is data security however not due to storage
    location. The office uses Act for their client database, adn they want it
    locked down with different users having different permission rights which
    went beyond the basic configuration of the program. We purchased addons for
    trhe product for each user and with that I can lock down all fields and deny
    print and export capability etc. The problem with this is that since it is
    not a server or administrator setting controlled at the server level - I have
    to import all registry settings and preferences into each machine under each
    user in the office - or the user can skip their machine adn go to a different
    computer and login to Act and have free reign. This way if I lock out the
    alternate users I can protect this from happening.

    We do have several shared folders on the server that are backed up nightly,
    however on the same topic, the owners want me to take and lock this down for
    no delete privs, not problem except that they will lock them seleves out from
    moving, renaming etc forms back and forth, so they want a time frame
    involved, and have me only allow access to data that comes in monthly and
    once a month I am to move that data to the locked folder and repeat. That
    way they believe that 90% of their data is safe from deletion.

    Anthoer topic discussed is how to prevent the users from attaching
    confidential data to email and sending it out? I can not think of one, if
    you have any ideas please share. My only thought was to see if their
    provider can limit email by size or file type and then limit large files from
    being sent.......

    Just my morning ramblings, please let me know if there is a simplerer option
    out there as I see alot of work on the horizon for me adn since this is not
    my day job..........
     
    Kim K, Apr 22, 2009
    #7
  8. I agree, there will always be resistance!

    Cheers!

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 22, 2009
    #8
  9. ..

    Hello Kim,

    I thought Act in server mode (or I forget what mode it is called) can do
    this centrally? I believe it has a multi-user feature that you install it
    centrally on a server, and control what permisisons and rights users have,
    such as the way QuickBooks works in multi-user mode. It sounds like to me
    that you have the full program installed on each individual workstation.

    Which version of Act do you have? Is it multiuser? If so, was it setup
    correctly in multiuser mode, and not just sharing a cetnralized database?

    As for preventing users from attaching emails, I remember this was brought
    up recently in another post. This is not possible to stop natively. Maybe a
    third party SMTP gateway that you can control attachment types and names,
    but that's about it. If a user has access to a file, they can attach it.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 22, 2009
    #9
  10. Kim K

    Kim K Guest

    Hi Again Ace,

    Yes I think I did mention that email thing in another post. I explained to
    the business owners that short of terminating email for their users that
    attaching or sending to email especially in MS Office is not possible, but
    they want to curtail it, my view is a good binding AUP and confidentiality
    agreement!

    RE: Act, yes it is installed on each user machine and the DB is on the
    server - Act 2009 Premium, the users are configured as such within Act, but
    unfortunately the 2 choices for the users are Browse (still able to print but
    not enter any notes) or Restricted (allows for exporting, printing, changing
    fields etc), what they want is everything locked out but the ability to enter
    notes, and not edit them once they click out of the notes field, that is a
    function within act and is set, however the rest is up to a thrid pary vendor
    that called Exponenciel - for addons - Exponenciel.com, where we purchased
    Field protection and menu management for each user. Unfortunately, these 2
    addons while intergrating with Act, need to be installed on each user
    machine, is registered by user login name, and needs to be registered under
    each user login name and under each dommain name on each PC (exported reg key
    took care of registration on each machine). If this is not done then the
    addon will not work if it is not installed on each machine or if it is
    installed but not for each user then when the user logs in to another machine
    the addon errs out and everything is disabled and then visible and editable
    to the user. It is a tremendous amount of work to get it right and quite
    tempermantal. So between the tweaks in Act (disabling tool and nav bars,
    notes editing, user settings) and the addons, field lock down and menu
    management, the users currently can only open the database and no others and
    do a contact lookup, adn exit, everything else has been disabled or deleted
    or hidden.

    Fortunately, they caved to the right click, and I do not have to disable all
    the right click ability in the office, as I was going to have to install some
    mouse managment software to configure the R click, hide it form teh task bar,
    then run mmc, and hide the mouse control option in control panels. PHew!
     
    Kim K, Apr 22, 2009
    #10

  11. You can possibly use a GPO to control context menus (the right-click) for
    Windows Explorer. Take a look at a GPO, in the user section, Administrative
    Templates.

    As for that add-on, I'm not able to help in this area. This is something you
    would, I imagine, contact first your Act support contact, then the
    Exponenciel support folks to see what options you have to control it better.

    Back to attachments, you can remove the attachment button completely from
    Outlook by adding the Outlook 2003 and/or 2007 Administrative Template (from
    the Office resource kit and available for download) to control Outlook
    functions. But it is an all or nothing. Of course you don't want to
    completey eliminate attachments. The best bet I can say is to setup a
    Journal mailbox on the Exchange server's mailbox store. Then give someone FC
    to this mailbox so they can add it to their Outlook profile. Journaling will
    copy each and every email inbound and outbound in the specific store you set
    it up on. This way whomever you give access to that mailbox, can watch each
    and every email going in and out. Big Brother, some would say? Yes it is,
    but after all, the email system is for BUSINESS use, and assuming they've
    signed a TOS (terms of service) for IT resources specifically stating this
    is for business and not personal use, you can monitor emails, and take
    appropriate action based on the signed TOS. If you don. have the TOS in
    place, or if you do and do not have a subsection specifically stating this,
    I would suggest to update it immediately and walk around and have everyone
    sign it before implementing and monitoring emails.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 22, 2009
    #11
  12. Kim K

    Marcin Guest

    Ace,
    that's correct - providng that you apply this configuration to all users
    (including potential visitors from other locations)...

    best regards,
    Marcin
     
    Marcin, Apr 23, 2009
    #12
  13. A tedious task! But if that's what they need to do to accomplish their goal,
    then that;s what they have to do!

    Cheers!

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 23, 2009
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.