How to keep other domain users off my computer

kidtriton

Member
Jul 27, 2002
39
0
0
I am a domain administrator (2003) and i cannot figure out a way to allow only my domain account to be able to log on to my computer. I do not want any other user to be able to use their credentials to create a profile on my computer. Would this be something that would need to be done to my machine, or on the domain controller?
 

Jzero

Lifer
Oct 10, 1999
18,834
1
0
Set the local security policy so that only your account has the logon interactively privilege. You may also need to add domain users or everyone to the deny logon interactively privilege, but I'm not sure on that.
 

Woodie

Platinum Member
Mar 27, 2001
2,747
0
0
Create a GPO, and link/apply it to YOUR machine ONLY!!!

Be very careful about it, otherwise NO ONE will be able to log on, and you'l have lots of 'splainin' to do.

GPO Contents: (yes, we use this one here and it works :D )
Computer Config->Windows Settings->Security Settings->Local Policies/User Rights Assignment:
Policy: Allow log on locally
Settings: DOMAIN\MyTrustedUsers, BUILTIN\Power Users, BUILTIN\Administrators.

No deny necessary, just remove BUILTIN\Users from the setting. We added the Power Users to allow for corporate software distribution.
 

kidtriton

Member
Jul 27, 2002
39
0
0
i dont use a bios password because if im working from home and my computer is off i can call in and get someone to hit the power button and i can terminal in.


Jzero, look at the picture i took below, the name that is scribbled out is my username, but when i try to remove administrators, it tells me that "administrators must be granted the logon local right". So basically i have narrowed it down to it letting the "administrators", which is me and 7 other people in the IT department logon. (i am a member of that group also). I wonder if there is a workaround that would remove the administrators from having local logon rights?

picture of group policy
 

kidtriton

Member
Jul 27, 2002
39
0
0
Originally posted by: Woodie
Create a GPO, and link/apply it to YOUR machine ONLY!!!

Be very careful about it, otherwise NO ONE will be able to log on, and you'l have lots of 'splainin' to do.


woodie, im trying to follow exactly where you are talking about creating this, and since i am the one that builds all the machines here, i would only have to explain to myself, haha. I have an image of my computer from this morning that i can ghost back to if neccessary. Thanks for the reply, i am going to try to dissect what you said and see if i can understand it.

EDIT: when you are talking about creating a GPO, are you saying to do it on the domain controller? and when you say no one will be able to log in, are you talking about on the whole domain?

ANOTHER EDIT: after looking at the post more carefully, it looks like what you are suggesting is the same thing i did and posted in the above post. I just cant get 'administrators' to remove from that policy.
 

Jzero

Lifer
Oct 10, 1999
18,834
1
0
Originally posted by: kidtriton
when i try to remove administrators, it tells me that "administrators must be granted the logon local right".

In that case you may also need to add yourself to local admins on your machine and then remove Domain Admins from local admins. I'm pretty sure it will let you do that...
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
Originally posted by: Jzero
Originally posted by: kidtriton
when i try to remove administrators, it tells me that "administrators must be granted the logon local right".

In that case you may also need to add yourself to local admins on your machine and then remove Domain Admins from local admins. I'm pretty sure it will let you do that...



:thumbsup:



basiclly check the local group "administrators" and make sure that "Domain Admin" and (sometimes added) "Domain Users" and any other reference to domain stuff is removed. THen add your domain account to the local administrators group.
 

kidtriton

Member
Jul 27, 2002
39
0
0
i figured it all out. (i think) I didnt see the "deny logon locally" setting before. So even though the administrators group has logon privelage, i added each of the other members of administrators (except myself) to the deny gpo. Hopefully, the deny with their name will override the allow with thier group.

The whole reason im doing this is because i am very picky about my computer. If i am not here, my co-workers have a habit of logging onto someone elses machine to do stuff on a "better" computer. I just dont want the greasy fingerprints and cookie crumbs in my keyboard, and the smudges on my monitor like everyone elses computer has. If they get a message that they cant log on, they will just move to someone elses machine and leave mine alone.
 

Woodie

Platinum Member
Mar 27, 2001
2,747
0
0
GPOs live in the AD...so you can create them from the DC or a workstation w/ the right tools on it. (GPMC) and of course Domain privileges. And yes, if you LINK (aka APPLY) the GPO to all the machines in the domain, then no users would be able to log in to those machines. So, when you LINK the gpo, link it only to your OU, or ACL the GPO so that YOUR WORKSTATION is the only one that the policy APPLIES to (Auth Users get READ but no APPLY)

Your are correct, you cannot remove Logon Locally from the BUILTIN\Administrators group. As posted, your best bet is to remove the Domain Admins from your local Administrators group, but make sure you add yourself to the Local Administrators group BEFORE you do the remove.