Locking a user down to a single computer!

Locking a user down to a single computer!

Post by QBob » Thu, 20 Jan 2005 09:28:55


Hi, thanks for reading. I am looking for some advice on locking a user down
to a single computer using GP or any other method; within a domain. The
user needs accesss to email, internet and network shares so I am a little
limited in how locked down I can make the user. I would like to do this
within a seperate OU and not affect my entire domain by locking the person
out of every PC at the domain level and then allowing through at a lower
level, but am open to all ideas. My network is a Windows 2000 network with
multiple DCs. Thanks!
 
 
 

Locking a user down to a single computer!

Post by MV » Thu, 20 Jan 2005 09:47:47


down
with

Here is a quick and dirty way. Insert the following line into the logon
script:

if /i "%UserName%"=="JSmith" if /i not "%ComputerName%"=="PC10"
c:\tools\shutdown.exe /L

There are various versions of shutdown.exe: one with WinXP, some freely
downloadable. The "logoff" switch is different from one version to the next.

 
 
 

Locking a user down to a single computer!

Post by Cary Shult » Thu, 20 Jan 2005 09:48:50

There are a lot of ways to do this. I might take a look at using the 'deny
logon locally' solution. It can be found here:

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Use a security group and make that one specific user account object the only
member of that group. Then apply the Deny Logon Locally right to that
group. You would create an OU and move all of the computer account objects
( except the one where he/she is supposed to be able to use ) into that OU.
Then create the GPO and link it to that OU.

This might be one way to do this.

If moving all of the computer account objects EXCEPT ONE to a separate OU
causes a problem for you then you might want to take a look at Group
Filtering.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.yqcomputer.com/
http://www.yqcomputer.com/
 
 
 

Locking a user down to a single computer!

Post by Roger Abel » Thu, 20 Jan 2005 10:56:51

If your AD is with NetBIOS support, then just use the properties of
that one account to define its allowed couputers.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA


down
with
 
 
 

Locking a user down to a single computer!

Post by Greg » Fri, 21 Jan 2005 01:21:48

Yes, specify in the user's account that he can only use a particlar
computer. In addition to that, you may want to use a mandatory
profile. Logon as the user, set it up the way you want it, make sure
the user is not added to the local administrators group or even power
users group. Once all the settings are locked the way you want it, use
the mandatory profile and he will not be able to make changes on the PC
or his profile.

Greg Halpin
 
 
 

Locking a user down to a single computer!

Post by QBob » Fri, 21 Jan 2005 01:31:33

Fantastic Ideas! Thanks all, worked perfectly!