Announcement

Collapse
No announcement yet.

Whats the easist way?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Whats the easist way?

    to disable local logins for all clients on a domain

    Cheers

  • #2
    And then how would you logon onto them ?

    Create a GPO and set Deny Logon Locally rights and add Domain\Domain Users into it.

    topper
    * Shamelessly mentioning "Don't forget to add reputation!"

    Comment


    • #3
      i maybe wrong but i think he means disable local accounts on the pc.
      Server 2000 MCP
      Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      Comment


      • #4
        yeah sorry
        i mean local accounts

        so domin is only option

        Comment


        • #5
          One thing you can do is NOT TO BUILD ANY LOCAL ACCOUNTS.

          And also, so not make any user the local admin of any machine.

          And, last, disable the cached logons, so that nobody can logon in case the DC is out (or the network cable is disconnected).

          So now, the user only has one option to logon, and if they do not know the password of the local admin, they cannot do anything else.
          Cheers,

          Daniel Petri
          Microsoft Most Valuable Professional - Active Directory Directory Services
          MCSA/E, MCTS, MCITP, MCT

          Comment


          • #6
            if all machines have been installed and local administrator set to that machine by previous employer, surely i can set a security policy on the domain to dissallow local PC logons, same as you can on 2003 servers?

            Comment


            • #7
              Well, you can try and let us know what happened...

              Actually it all depends on who you're dealing with. Pre-college teenagers, or responsible hard-working co-workers.

              :P
              Cheers,

              Daniel Petri
              Microsoft Most Valuable Professional - Active Directory Directory Services
              MCSA/E, MCTS, MCITP, MCT

              Comment


              • #8
                Originally posted by danielp
                Actually it all depends on who you're dealing with. Pre-college teenagers, or responsible hard-working co-workers.

                :P
                Current college teenagers are the ones you have to look out for!
                Server 2000 MCP
                Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                Comment


                • #9
                  In addition to what Daniel has said, remove Users group from the Allow Logon Locally setting in the GPO linked to the computers in question.
                  Guy Teverovsky
                  "Smith & Wesson - the original point and click interface"

                  Comment


                  • #10
                    Originally posted by topper
                    And then how would you logon onto them ?

                    Create a GPO and set Deny Logon Locally rights and add Domain\Domain Users into it.

                    topper
                    If you do this! You will not be able to log in with domain accounts locally.
                    I think you trying to say Deny logon locally for local users. Butt the local admin account must be allowed to do it.
                    MCSE w2k
                    MCSA w2k - MCSA w2k MESSAGING
                    MCDBA SQL2k

                    Comment

                    Working...
                    X