How to keep other domain users off my computer

Discussion in 'Operating Systems' started by kidtriton, Mar 30, 2005.

  1. kidtriton

    kidtriton Member

    Joined:
    Jul 27, 2002
    Messages:
    39
    Likes Received:
    0
    I am a domain administrator (2003) and i cannot figure out a way to allow only my domain account to be able to log on to my computer. I do not want any other user to be able to use their credentials to create a profile on my computer. Would this be something that would need to be done to my machine, or on the domain controller?
     
  2. rdubbz

    rdubbz Diamond Member

    Joined:
    Jan 5, 2004
    Messages:
    5,310
    Likes Received:
    0
    Have you tried removing "domain users" from the local user group?
     
  3. kidtriton

    kidtriton Member

    Joined:
    Jul 27, 2002
    Messages:
    39
    Likes Received:
    0
    I don't see it here, this is where you were referring to, correct:

    picture of groups
     
  4. rdubbz

    rdubbz Diamond Member

    Joined:
    Jan 5, 2004
    Messages:
    5,310
    Likes Received:
    0
  5. imported_JFG

    imported_JFG Senior member

    Joined:
    Feb 16, 2005
    Messages:
    207
    Likes Received:
    0
    Maybe a BIOS password or running syskey
     
  6. Jzero

    Jzero Lifer

    Joined:
    Oct 10, 1999
    Messages:
    18,841
    Likes Received:
    0
    Set the local security policy so that only your account has the logon interactively privilege. You may also need to add domain users or everyone to the deny logon interactively privilege, but I'm not sure on that.
     
  7. Woodie

    Woodie Platinum Member

    Joined:
    Mar 27, 2001
    Messages:
    2,747
    Likes Received:
    0
    Create a GPO, and link/apply it to YOUR machine ONLY!!!

    Be very careful about it, otherwise NO ONE will be able to log on, and you'l have lots of 'splainin' to do.

    GPO Contents: (yes, we use this one here and it works :D )
    Computer Config->Windows Settings->Security Settings->Local Policies/User Rights Assignment:
    Policy: Allow log on locally
    Settings: DOMAIN\MyTrustedUsers, BUILTIN\Power Users, BUILTIN\Administrators.

    No deny necessary, just remove BUILTIN\Users from the setting. We added the Power Users to allow for corporate software distribution.
     
  8. kidtriton

    kidtriton Member

    Joined:
    Jul 27, 2002
    Messages:
    39
    Likes Received:
    0
    i dont use a bios password because if im working from home and my computer is off i can call in and get someone to hit the power button and i can terminal in.


    Jzero, look at the picture i took below, the name that is scribbled out is my username, but when i try to remove administrators, it tells me that "administrators must be granted the logon local right". So basically i have narrowed it down to it letting the "administrators", which is me and 7 other people in the IT department logon. (i am a member of that group also). I wonder if there is a workaround that would remove the administrators from having local logon rights?

    picture of group policy
     
  9. kidtriton

    kidtriton Member

    Joined:
    Jul 27, 2002
    Messages:
    39
    Likes Received:
    0

    woodie, im trying to follow exactly where you are talking about creating this, and since i am the one that builds all the machines here, i would only have to explain to myself, haha. I have an image of my computer from this morning that i can ghost back to if neccessary. Thanks for the reply, i am going to try to dissect what you said and see if i can understand it.

    EDIT: when you are talking about creating a GPO, are you saying to do it on the domain controller? and when you say no one will be able to log in, are you talking about on the whole domain?

    ANOTHER EDIT: after looking at the post more carefully, it looks like what you are suggesting is the same thing i did and posted in the above post. I just cant get 'administrators' to remove from that policy.
     
  10. Jzero

    Jzero Lifer

    Joined:
    Oct 10, 1999
    Messages:
    18,841
    Likes Received:
    0
    In that case you may also need to add yourself to local admins on your machine and then remove Domain Admins from local admins. I'm pretty sure it will let you do that...
     
  11. nweaver

    nweaver Diamond Member

    Joined:
    Jan 21, 2001
    Messages:
    6,813
    Likes Received:
    0


    :thumbsup:



    basiclly check the local group "administrators" and make sure that "Domain Admin" and (sometimes added) "Domain Users" and any other reference to domain stuff is removed. THen add your domain account to the local administrators group.
     
  12. kidtriton

    kidtriton Member

    Joined:
    Jul 27, 2002
    Messages:
    39
    Likes Received:
    0
    i figured it all out. (i think) I didnt see the "deny logon locally" setting before. So even though the administrators group has logon privelage, i added each of the other members of administrators (except myself) to the deny gpo. Hopefully, the deny with their name will override the allow with thier group.

    The whole reason im doing this is because i am very picky about my computer. If i am not here, my co-workers have a habit of logging onto someone elses machine to do stuff on a "better" computer. I just dont want the greasy fingerprints and cookie crumbs in my keyboard, and the smudges on my monitor like everyone elses computer has. If they get a message that they cant log on, they will just move to someone elses machine and leave mine alone.
     
  13. Woodie

    Woodie Platinum Member

    Joined:
    Mar 27, 2001
    Messages:
    2,747
    Likes Received:
    0
    GPOs live in the AD...so you can create them from the DC or a workstation w/ the right tools on it. (GPMC) and of course Domain privileges. And yes, if you LINK (aka APPLY) the GPO to all the machines in the domain, then no users would be able to log in to those machines. So, when you LINK the gpo, link it only to your OU, or ACL the GPO so that YOUR WORKSTATION is the only one that the policy APPLIES to (Auth Users get READ but no APPLY)

    Your are correct, you cannot remove Logon Locally from the BUILTIN\Administrators group. As posted, your best bet is to remove the Domain Admins from your local Administrators group, but make sure you add yourself to the Local Administrators group BEFORE you do the remove.