RE: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others
Hi Mike,
Sorry again for not reading your answer properly, anyway if automatic login
needs to be enabled on windows 2000 domain , i need to add default domain,
default user name , default password & change AutoAdminLogon key from 0 to 1.
Regards,
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharif Naser
Sent: Sunday, June 12, 2005 9:27 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] how to allow a specific user to access the domain from
one pc & disallow the others
Thanks alot Mike, you have been very helpful
Sorry for not making myself clear. Can this be achieved in win2k domain
environment.
I have already searched the web but i could not find a useful information
Any help in this regard is really highly appreciated.
Regards,
-Original Message-
From: [EMAIL PROTECTED] on behalf of mike kline
Sent: Sun 6/12/2005 4:03 PM
To: ActiveDir@mail.activedir.org
Cc:
Subject: Re: [ActiveDir] how to allow a specific user to access the
domain from one pc & disallow the others
This should help you
http://support.microsoft.com/kb/315231
How to turn on automatic logon in Windows XP
You are definitely taking a risk with this box on your domain in the
open like this.
Since this box will be in the open with no logon requirements you will
want to really tighten security on this box.
On top of the OS lockdowns at a minimum I would recommend putting a
password on the BIOS and prevent users from booting to a CD or USB
(easy enough to boot into Knoppix or use other methods to control of
the box)
Thanks
Mike
On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote:
>
> Thanks Mike & Robert.
>
> Now, I have a bonus question which is how do I allow automatic login
so
> that I don't tag the password on the kiosk console.
>
> Regards
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams
> (RRE)
> Sent: Sunday, June 12, 2005 12:36 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] how to allow a specific user to access the
> domain from one pc & disallow the others
>
> I meant to have this in my last post...
>
> You could put the User Right "Deny Logon Locally" on all machines
OTHER
> than your kiosk machine to accomplish the other part of your scenario
> (logging onto ONLY one machine). The method mentioned below by Mike
> would suffice also for that purpose.
>
> Sorry for the extra junk in your mailbox ;-) Have a good day!
>
> Robert Williams, MCSE NT4/2K/2K3, Security+
> Infrastructure Rapid Response Engineer
> Northeast Region
> Microsoft Corporation
> Global Solutions Support Center
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
> Sent: Sunday, June 12, 2005 5:21 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] how to allow a specific user to access the
> domain from one pc & disallow the others
>
> To allow the user to only logon on to that machine go into their
> Account Tab and use the "Log On To" feature and only allow access to
> that particular machine.
>
> You could deny everyone else the right to log on locally using a
policy.
>
> This is the setting in the GPO
>
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\User Rights Assignment
>
> Go into "Log on Locally" remove "Users, Power Users, and Backup
> Operators" then add this particular user. I would not remove the
> administrators but you can do that and just add your account in case
> you ever need to access the machine interactively.
>
> Thanks
> Mike
>
>
> On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote:
> >
> >
> > Hello experts,
> >
> >
> >
> > I'm setting a kiosk machine, my question is how do I allow a
specific
> user
> > to login
Re: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others
To answer your follow up yes you can also enable auto login on a W2K box http://support.microsoft.com/kb/315231 How To Enable Automatic Logon in Windows 2000 Professional The polices and methods that Robert and I listed in the first few messages wilil work on a Windows 2000 or 2003 domain. Thanks Mike On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote: > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others
Thanks alot Mike, you have been very helpful
Sorry for not making myself clear. Can this be achieved in win2k domain
environment.
I have already searched the web but i could not find a useful information
Any help in this regard is really highly appreciated.
Regards,
-Original Message-
From: [EMAIL PROTECTED] on behalf of mike kline
Sent: Sun 6/12/2005 4:03 PM
To: ActiveDir@mail.activedir.org
Cc:
Subject: Re: [ActiveDir] how to allow a specific user to access the
domain from one pc & disallow the others
This should help you
http://support.microsoft.com/kb/315231
How to turn on automatic logon in Windows XP
You are definitely taking a risk with this box on your domain in the
open like this.
Since this box will be in the open with no logon requirements you will
want to really tighten security on this box.
On top of the OS lockdowns at a minimum I would recommend putting a
password on the BIOS and prevent users from booting to a CD or USB
(easy enough to boot into Knoppix or use other methods to control of
the box)
Thanks
Mike
On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote:
>
> Thanks Mike & Robert.
>
> Now, I have a bonus question which is how do I allow automatic login
so
> that I don't tag the password on the kiosk console.
>
> Regards
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams
> (RRE)
> Sent: Sunday, June 12, 2005 12:36 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] how to allow a specific user to access the
> domain from one pc & disallow the others
>
> I meant to have this in my last post...
>
> You could put the User Right "Deny Logon Locally" on all machines
OTHER
> than your kiosk machine to accomplish the other part of your scenario
> (logging onto ONLY one machine). The method mentioned below by Mike
> would suffice also for that purpose.
>
> Sorry for the extra junk in your mailbox ;-) Have a good day!
>
> Robert Williams, MCSE NT4/2K/2K3, Security+
> Infrastructure Rapid Response Engineer
> Northeast Region
> Microsoft Corporation
> Global Solutions Support Center
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
> Sent: Sunday, June 12, 2005 5:21 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] how to allow a specific user to access the
> domain from one pc & disallow the others
>
> To allow the user to only logon on to that machine go into their
> Account Tab and use the "Log On To" feature and only allow access to
> that particular machine.
>
> You could deny everyone else the right to log on locally using a
policy.
>
> This is the setting in the GPO
>
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\User Rights Assignment
>
> Go into "Log on Locally" remove "Users, Power Users, and Backup
> Operators" then add this particular user. I would not remove the
> administrators but you can do that and just add your account in case
> you ever need to access the machine interactively.
>
> Thanks
> Mike
>
>
> On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote:
> >
> >
> > Hello experts,
> >
> >
> >
> > I'm setting a kiosk machine, my question is how do I allow a
specific
> user
> > to login to my domain from only one machine & disallow other users
> from
> > logging from the same machine.
> >
> >
> >
> > Regards,
> > DISCLAIMER:
> > This electronic message transmission contains information from Qatar
> Steel
> > Company (QASCO)
> > which may be confidential or privileged. The information is intended
> to be
> > for the use of
> > the individual or entity named above. Be
Re: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others
This should help you http://support.microsoft.com/kb/315231 How to turn on automatic logon in Windows XP You are definitely taking a risk with this box on your domain in the open like this. Since this box will be in the open with no logon requirements you will want to really tighten security on this box. On top of the OS lockdowns at a minimum I would recommend putting a password on the BIOS and prevent users from booting to a CD or USB (easy enough to boot into Knoppix or use other methods to control of the box) Thanks Mike On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote: > > Thanks Mike & Robert. > > Now, I have a bonus question which is how do I allow automatic login so > that I don't tag the password on the kiosk console. > > Regards > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams > (RRE) > Sent: Sunday, June 12, 2005 12:36 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] how to allow a specific user to access the > domain from one pc & disallow the others > > I meant to have this in my last post... > > You could put the User Right "Deny Logon Locally" on all machines OTHER > than your kiosk machine to accomplish the other part of your scenario > (logging onto ONLY one machine). The method mentioned below by Mike > would suffice also for that purpose. > > Sorry for the extra junk in your mailbox ;-) Have a good day! > > Robert Williams, MCSE NT4/2K/2K3, Security+ > Infrastructure Rapid Response Engineer > Northeast Region > Microsoft Corporation > Global Solutions Support Center > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of mike kline > Sent: Sunday, June 12, 2005 5:21 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] how to allow a specific user to access the > domain from one pc & disallow the others > > To allow the user to only logon on to that machine go into their > Account Tab and use the "Log On To" feature and only allow access to > that particular machine. > > You could deny everyone else the right to log on locally using a policy. > > This is the setting in the GPO > > Computer Configuration\Windows Settings\Security Settings\Local > Policies\User Rights Assignment > > Go into "Log on Locally" remove "Users, Power Users, and Backup > Operators" then add this particular user. I would not remove the > administrators but you can do that and just add your account in case > you ever need to access the machine interactively. > > Thanks > Mike > > > On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote: > > > > > > Hello experts, > > > > > > > > I'm setting a kiosk machine, my question is how do I allow a specific > user > > to login to my domain from only one machine & disallow other users > from > > logging from the same machine. > > > > > > > > Regards, > > DISCLAIMER: > > This electronic message transmission contains information from Qatar > Steel > > Company (QASCO) > > which may be confidential or privileged. The information is intended > to be > > for the use of > > the individual or entity named above. Be aware that any > disclosure,copying, > > distribution > > or use of the contents of this information,including attachments, is > > prohibited without > > the written consent of Qatar Steel Company (QASCO). > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > DISCLAIMER: > This electronic message transmission contains information from Qatar Steel > Company (QASCO) > which may be confidential or privileged. The information is intended to be > for the use of > the individual or entity named above. Be aware that any disclosure,copying, > distribution > or use of the contents of this information,including attachments, is > prohibited without > the written consent of Qatar Steel Company (QASCO). > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others
Thanks Mike & Robert. Now, I have a bonus question which is how do I allow automatic login so that I don't tag the password on the kiosk console. Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Sunday, June 12, 2005 12:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others I meant to have this in my last post... You could put the User Right "Deny Logon Locally" on all machines OTHER than your kiosk machine to accomplish the other part of your scenario (logging onto ONLY one machine). The method mentioned below by Mike would suffice also for that purpose. Sorry for the extra junk in your mailbox ;-) Have a good day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Sunday, June 12, 2005 5:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others To allow the user to only logon on to that machine go into their Account Tab and use the "Log On To" feature and only allow access to that particular machine. You could deny everyone else the right to log on locally using a policy. This is the setting in the GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Go into "Log on Locally" remove "Users, Power Users, and Backup Operators" then add this particular user. I would not remove the administrators but you can do that and just add your account in case you ever need to access the machine interactively. Thanks Mike On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote: > > > Hello experts, > > > > I'm setting a kiosk machine, my question is how do I allow a specific user > to login to my domain from only one machine & disallow other users from > logging from the same machine. > > > > Regards, > DISCLAIMER: > This electronic message transmission contains information from Qatar Steel > Company (QASCO) > which may be confidential or privileged. The information is intended to be > for the use of > the individual or entity named above. Be aware that any disclosure,copying, > distribution > or use of the contents of this information,including attachments, is > prohibited without > the written consent of Qatar Steel Company (QASCO). > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ DISCLAIMER: This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure,copying, distribution or use of the contents of this information,including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others
I meant to have this in my last post... You could put the User Right "Deny Logon Locally" on all machines OTHER than your kiosk machine to accomplish the other part of your scenario (logging onto ONLY one machine). The method mentioned below by Mike would suffice also for that purpose. Sorry for the extra junk in your mailbox ;-) Have a good day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Sunday, June 12, 2005 5:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others To allow the user to only logon on to that machine go into their Account Tab and use the "Log On To" feature and only allow access to that particular machine. You could deny everyone else the right to log on locally using a policy. This is the setting in the GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Go into "Log on Locally" remove "Users, Power Users, and Backup Operators" then add this particular user. I would not remove the administrators but you can do that and just add your account in case you ever need to access the machine interactively. Thanks Mike On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote: > > > Hello experts, > > > > I'm setting a kiosk machine, my question is how do I allow a specific user > to login to my domain from only one machine & disallow other users from > logging from the same machine. > > > > Regards, > DISCLAIMER: > This electronic message transmission contains information from Qatar Steel > Company (QASCO) > which may be confidential or privileged. The information is intended to be > for the use of > the individual or entity named above. Be aware that any disclosure,copying, > distribution > or use of the contents of this information,including attachments, is > prohibited without > the written consent of Qatar Steel Company (QASCO). > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others
Can you please be more specific? You are seeking to allow only one specific user to log on INTERACTIVELY on your kiosk machine?? I think one way would be to give only that user account (and local Admin, of course) the “Allow Logon Locally” user right. This would restrict Interactive logon to only the users specified in this group policy (or local policy): Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Allow log on locally On XP or 2003, you can log on through Remote Desktop if you have the following User Right (same path as above): \Allow Logon through Terminal Services I believe that “Remote Desktop Users” has the above right by default. You could take more drastic steps as well if you’re afraid that the above techniques won’t do the trick (e.g. permissions on C drive, ‘Documents and Settings’, HKU, etc…). I hope that helped! Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharif Naser Sent: Sunday, June 12, 2005 3:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others Hello experts, I’m setting a kiosk machine, my question is how do I allow a specific user to login to my domain from only one machine & disallow other users from logging from the same machine. Regards, DISCLAIMER: This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure,copying, distribution or use of the contents of this information,including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO).
Re: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others
To allow the user to only logon on to that machine go into their Account Tab and use the "Log On To" feature and only allow access to that particular machine. You could deny everyone else the right to log on locally using a policy. This is the setting in the GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Go into "Log on Locally" remove "Users, Power Users, and Backup Operators" then add this particular user. I would not remove the administrators but you can do that and just add your account in case you ever need to access the machine interactively. Thanks Mike On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote: > > > Hello experts, > > > > I'm setting a kiosk machine, my question is how do I allow a specific user > to login to my domain from only one machine & disallow other users from > logging from the same machine. > > > > Regards, > DISCLAIMER: > This electronic message transmission contains information from Qatar Steel > Company (QASCO) > which may be confidential or privileged. The information is intended to be > for the use of > the individual or entity named above. Be aware that any disclosure,copying, > distribution > or use of the contents of this information,including attachments, is > prohibited without > the written consent of Qatar Steel Company (QASCO). > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
