No announcement yet.

Prevent "worksation only" login - selectively

  • Filter
  • Time
  • Show
Clear All
new posts

  • Prevent "worksation only" login - selectively

    WINXP clients in a 2003 Domain

    Can I prevent "workstation only" logins based on a users AD account status ? or do I have to disable this at a machine level ?

    Any local user account would only exist due to normal domain login activity (I don't create any user specific ones).

    I would like to prevent even local workstation login for users with disabled AD accounts, but I guess given that the login is local, I'm going to have to restrict by machine (for instance, disabling cached credentials wouldn't stop local login would it ?).

    Can I remove local accounts on logout - or during the boot process (in event of unclean shutdown) ?

    My objective is to prevent even local workstation login (and consequently use of local apps) in event of a users AD account being disabled. I'm looking for the best compromise.

  • #2
    Re: Prevent "worksation only" login - selectively

    So if we listed the local user accounts, and then disabled them all (except the local Administrator account), then if we changed the local administrator account's password, the objective would be achieved.

    Look at: Sample scripts for managing user accounts on local computers

    Then look at: Script to change administrator password

    The above should all be done through a Computer Startup script in Group Policy. I do not think you can use this to affect computers which are already logging on locally, as you have no GPO power over them, but as soon as any computer logs onto the domain, your scripts should then disable all local accounts leaving only the local Administrator account, which will then have a new password. You can deploy these scripts by creating a GPO linked to an OU in which your chosen computers (or users) reside so that takes care of the "selectively" part of the objective, though you could do this to all computers if you liked, making every (domain member) computer inaccessible to local logins.

    I do not understand this part:
    Any local user account would only exist due to normal domain login activity
    because I think that no local user accounts are created as a result of normal domain activity.
    Best wishes,
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008