Go Back   AnandTech Forums > Software > Operating Systems

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 03-30-2005, 06:54 AM   #1
kidtriton
Member
 
Join Date: Jul 2002
Posts: 39
Default How to keep other domain users off my computer

I am a domain administrator (2003) and i cannot figure out a way to allow only my domain account to be able to log on to my computer. I do not want any other user to be able to use their credentials to create a profile on my computer. Would this be something that would need to be done to my machine, or on the domain controller?
kidtriton is offline   Reply With Quote
Old 03-30-2005, 07:13 AM   #2
rdubbz
Diamond Member
 
rdubbz's Avatar
 
Join Date: Jan 2004
Posts: 5,018
Default How to keep other domain users off my computer

Have you tried removing "domain users" from the local user group?
rdubbz is offline   Reply With Quote
Old 03-30-2005, 07:29 AM   #3
kidtriton
Member
 
Join Date: Jul 2002
Posts: 39
Default How to keep other domain users off my computer

I don't see it here, this is where you were referring to, correct:

picture of groups
kidtriton is offline   Reply With Quote
Old 03-30-2005, 07:33 AM   #4
rdubbz
Diamond Member
 
rdubbz's Avatar
 
Join Date: Jan 2004
Posts: 5,018
Default How to keep other domain users off my computer

Thats it.
rdubbz is offline   Reply With Quote
Old 03-30-2005, 07:40 AM   #5
imported_JFG
Senior Member
 
Join Date: Feb 2005
Posts: 207
Default How to keep other domain users off my computer

Maybe a BIOS password or running syskey
imported_JFG is offline   Reply With Quote
Old 03-30-2005, 07:56 AM   #6
Jzero
Lifer
 
Join Date: Oct 1999
Posts: 18,843
Default How to keep other domain users off my computer

Set the local security policy so that only your account has the logon interactively privilege. You may also need to add domain users or everyone to the deny logon interactively privilege, but I'm not sure on that.
__________________
They call me Jzero.
---

  • \ /
    \/
    :clock:

Flava-Flavicon is dedicated to the memory of my friend, lover, and soulmate Schizoid
---
Stave it off, 1-2-3 and now you can count to 3!
---
Purgamentum Init, Exit Purgamentum
Jzero is offline   Reply With Quote
Old 03-30-2005, 08:16 AM   #7
Woodie
Platinum Member
 
Join Date: Mar 2001
Posts: 2,747
Default How to keep other domain users off my computer

Create a GPO, and link/apply it to YOUR machine ONLY!!!

Be very careful about it, otherwise NO ONE will be able to log on, and you'l have lots of 'splainin' to do.

GPO Contents: (yes, we use this one here and it works )
Computer Config->Windows Settings->Security Settings->Local Policies/User Rights Assignment:
Policy: Allow log on locally
Settings: DOMAIN\MyTrustedUsers, BUILTIN\Power Users, BUILTIN\Administrators.

No deny necessary, just remove BUILTIN\Users from the setting. We added the Power Users to allow for corporate software distribution.
__________________
--Woodie

My Rigs
Heat
Woodie is offline   Reply With Quote
Old 03-30-2005, 08:16 AM   #8
kidtriton
Member
 
Join Date: Jul 2002
Posts: 39
Default How to keep other domain users off my computer

i dont use a bios password because if im working from home and my computer is off i can call in and get someone to hit the power button and i can terminal in.


Jzero, look at the picture i took below, the name that is scribbled out is my username, but when i try to remove administrators, it tells me that "administrators must be granted the logon local right". So basically i have narrowed it down to it letting the "administrators", which is me and 7 other people in the IT department logon. (i am a member of that group also). I wonder if there is a workaround that would remove the administrators from having local logon rights?

picture of group policy
kidtriton is offline   Reply With Quote
Old 03-30-2005, 08:20 AM   #9
kidtriton
Member
 
Join Date: Jul 2002
Posts: 39
Default How to keep other domain users off my computer

Quote:
Originally posted by: Woodie
Create a GPO, and link/apply it to YOUR machine ONLY!!!

Be very careful about it, otherwise NO ONE will be able to log on, and you'l have lots of 'splainin' to do.

woodie, im trying to follow exactly where you are talking about creating this, and since i am the one that builds all the machines here, i would only have to explain to myself, haha. I have an image of my computer from this morning that i can ghost back to if neccessary. Thanks for the reply, i am going to try to dissect what you said and see if i can understand it.

EDIT: when you are talking about creating a GPO, are you saying to do it on the domain controller? and when you say no one will be able to log in, are you talking about on the whole domain?

ANOTHER EDIT: after looking at the post more carefully, it looks like what you are suggesting is the same thing i did and posted in the above post. I just cant get 'administrators' to remove from that policy.
kidtriton is offline   Reply With Quote
Old 03-30-2005, 08:58 AM   #10
Jzero
Lifer
 
Join Date: Oct 1999
Posts: 18,843
Default How to keep other domain users off my computer

Quote:
Originally posted by: kidtriton
when i try to remove administrators, it tells me that "administrators must be granted the logon local right".
In that case you may also need to add yourself to local admins on your machine and then remove Domain Admins from local admins. I'm pretty sure it will let you do that...
__________________
They call me Jzero.
---

  • \ /
    \/
    :clock:

Flava-Flavicon is dedicated to the memory of my friend, lover, and soulmate Schizoid
---
Stave it off, 1-2-3 and now you can count to 3!
---
Purgamentum Init, Exit Purgamentum
Jzero is offline   Reply With Quote
Old 03-30-2005, 09:03 AM   #11
nweaver
Diamond Member
 
Join Date: Jan 2001
Posts: 6,813
Default How to keep other domain users off my computer

Quote:
Originally posted by: Jzero
Quote:
Originally posted by: kidtriton
when i try to remove administrators, it tells me that "administrators must be granted the logon local right".
In that case you may also need to add yourself to local admins on your machine and then remove Domain Admins from local admins. I'm pretty sure it will let you do that...






basiclly check the local group "administrators" and make sure that "Domain Admin" and (sometimes added) "Domain Users" and any other reference to domain stuff is removed. THen add your domain account to the local administrators group.
nweaver is offline   Reply With Quote
Old 03-30-2005, 09:08 AM   #12
kidtriton
Member
 
Join Date: Jul 2002
Posts: 39
Default How to keep other domain users off my computer

i figured it all out. (i think) I didnt see the "deny logon locally" setting before. So even though the administrators group has logon privelage, i added each of the other members of administrators (except myself) to the deny gpo. Hopefully, the deny with their name will override the allow with thier group.

The whole reason im doing this is because i am very picky about my computer. If i am not here, my co-workers have a habit of logging onto someone elses machine to do stuff on a "better" computer. I just dont want the greasy fingerprints and cookie crumbs in my keyboard, and the smudges on my monitor like everyone elses computer has. If they get a message that they cant log on, they will just move to someone elses machine and leave mine alone.
kidtriton is offline   Reply With Quote
Old 03-30-2005, 09:08 AM   #13
Woodie
Platinum Member
 
Join Date: Mar 2001
Posts: 2,747
Default How to keep other domain users off my computer

GPOs live in the AD...so you can create them from the DC or a workstation w/ the right tools on it. (GPMC) and of course Domain privileges. And yes, if you LINK (aka APPLY) the GPO to all the machines in the domain, then no users would be able to log in to those machines. So, when you LINK the gpo, link it only to your OU, or ACL the GPO so that YOUR WORKSTATION is the only one that the policy APPLIES to (Auth Users get READ but no APPLY)

Your are correct, you cannot remove Logon Locally from the BUILTIN\Administrators group. As posted, your best bet is to remove the Domain Admins from your local Administrators group, but make sure you add yourself to the Local Administrators group BEFORE you do the remove.
__________________
--Woodie

My Rigs
Heat
Woodie is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:14 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.