Limit logon by computer

[marko2002]

Hi guys, is it at all possible to limit logon to domain by computer?. I know it's possible to limit which workstations a user can logon to and also to limit their logon hours, but I need a way to specify that after a particular time only a specific group or OU can log onto local workstations in a Server 2003 domain.

I dont necessarily with to limit their accounts, just prevent them from login on to local workstations after a particular time.

Much appreciated.
Marko

 

[ntfsDOTsys]

Well i know you can only have certain users or groups log onto a paticular machine. That is easy.

On XP I know for sure this works:

1) Go to local users and groups on the xp box
2) Select "Groups"
3) On the right double click "Users"
4) Remove "NT AUTHORITY\Authenticated Users" (This will make it so any authenticated user will not be able to logon)
5) Click "Add" and add only the user or group you want to logon

This accompanied by logon restrictions should provide the result you are looking for (/me thinks).

--me

p.s. You can not only do this for the users group but other groups as well.

A+, Network+, MCP
========================================>
My first computer was the Atari 400 (heh)

 

[markdmac]

I don't see the difference between saying you know you can restrict logon hours and then saying you want to be able to restrict logon times to a specific group. Seems that is the answer you are looking for. What am I missing?

I hope you find this post helpful.

Regards,

Mark

 

[marko2002]

Guys, thankx a mill for your responses and while your suggestion ntfsDOTsys is almost what I was after it isn't unfortunately quite it. Here's why I want such a facility.

At, say, 9.54pm I run a shutdown command from the PDC (scheduled task) which will shut down all the local workstations on my domain by giving 5 minutes notice. All those accounts which I then do not wish to log back on to the domain have logon time restrictions on their accounts (i.e. cannot logon to the domain between the hours of 10pm and 7am).

Unfortunately, it would appear that some local users are then managing to log back on to the domain locally using other people's accounts, such as friends, etc. I know it's possible to also restrict their accounts in the same way and more importantly they shouldn't be allowing other people to log on with their accounts, though if I can find a way to stop local users login on to any machine after, say, 10pm then I'd rather do this than start chasing users about innapropriate use!.

Using ntfsDOTsys's suggestion, I could certainly remove any of these groups using a script on shutdown at 10pm although I obviously wouldn't want the groups added again until say 7am the next morning! Any other suggestions? . . . and thanks again guys so far.

 

[markdmac]

First I wiould force everyone to change their pasword and let them know that if you learn of any other compromised passwords that you will force them to change it again.

Second, I think you could accomplish your goal by using a few scripts.

1.On your server: a script that connects to the workstations and stops the Netlogon Service.

2.A workstation startup script that checks the time of day and depending on that will either start or stop the Netlogon Service.

3.On your server: a script that connects to the workstations and starts the Netlogon Service.

I think the above should cover all bases.

I hope you find this post helpful.

Regards,

Mark

 

[marko2002]

Mark, thanks for the advice and this definately seems to be what I'm after, although scripting isn't exactly my forte' I'm afraid - though stopping the netlogon service wouldn't pose a particular problem I'd be lost at creating a startup script for the workstations to check for time, etc . . any suggestions on how I could go about creating this?

 

[markdmac]

You will find examples of how to check the current time of day and take specific actions in my login script FAQ. Take a look at the section for setting a voice greeting. It determines Morning, Afternoon or Evening. Just make yourself a vbscript and you can then push it out via GPO as a startup script by adding it in the COMPUTER CONFIGURATION section of the policy. faq329-5798

I hope you find this post helpful.

Regards,

Mark

 

[Seaspray0]

You might also find this useful.

You can create a GPO that applies to your computers you wish to control. In this GPO, use the "restricted groups" to fix the local groups on the client PC's to what you want them to be. You could fix it so that only members of a specific group or groups can log onto those PCs. Put all the controlled users in one of these groups. This is also a nice feature if you are working with a group such as accountants. A policy like this would guarantee only accountants could log onto accountant PCs because you specified the local user group and added only the accountants to it in this policy.

A+/MCP/MCSE/MCDBA

 

[marko2002]

Guys, thanks again for your help, I'll investigate and let you know how I get on . .