Announcement

Collapse
No announcement yet.

Increase Number of "Log on to" Workstations

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Increase Number of "Log on to" Workstations

    I'm trying to increase the rangeUpper value of the Log on to Workstation attribute in the AD schema as detailed in kb article 938458 support.microsoft.co*/kb/938458

    However, after I modify the value, I still get the message that the limit is 64 workstations when I try to add a 65th.

    Is there anything I need to do in order to apply the change? I read an article which said I need to edit the registry to allow changes to the schema. I did this but have not rebooted yet. Is a reboot necessary in general to apply changes made to the schema?


    Thanks for the help.

  • #2
    Re: Increase Number of "Log on to" Workstations

    Since the list of individual PCs to allow logons to is getting large enough to even ask the question, why not apply a single Group Policy for either allowing or preventing users from logging on, whichever is the smaller grouping?

    Have a look at this link:
    http://4sysops.com/archives/deny-and...-group-policy/

    It should be simpler (if not a lot less dangerous than modifying the schema) to manage this through Policy with security group membership.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Increase Number of "Log on to" Workstations

      Concur with Rickles

      And I have to ask, what sort of environment is it where you
      a) need to restrict users to certain computers and
      b) have more than 64 computers per user?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Increase Number of "Log on to" Workstations

        Originally posted by RicklesP View Post
        Since the list of individual PCs to allow logons to is getting large enough to even ask the question, why not apply a single Group Policy for either allowing or preventing users from logging on, whichever is the smaller grouping?

        Have a look at this link:


        It should be simpler (if not a lot less dangerous than modifying the schema) to manage this through Policy with security group membership.
        Are you suggesting I edit the local policy on a machine and allow\disallow the entire user group log on rights? Or just edit a single users local permissions on a single machine via GP? If I do the latter, it seems like there will be just as much editing than doing it by the log on to property in AD.

        Comment


        • #5
          Re: Increase Number of "Log on to" Workstations

          Originally posted by Ossian View Post
          Concur with Rickles

          And I have to ask, what sort of environment is it where you
          a) need to restrict users to certain computers and
          b) have more than 64 computers per user?
          I don't think we "need" to. It's just that our environment was a lot smaller when we started, so we just kept doing it that way until we reached the limit.

          Comment


          • #6
            Re: Increase Number of "Log on to" Workstations

            Unless there is a security reason to limit them, IMHO allow all users to log onto any workstation, so do not put anything in the "log on to" list

            If not, maintenance will become prohibitive
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Increase Number of "Log on to" Workstations

              Originally posted by Ossian View Post
              Unless there is a security reason to limit them, IMHO allow all users to log onto any workstation, so do not put anything in the "log on to" list

              If not, maintenance will become prohibitive
              It's a security thing.

              I might use the group policy settings that Rickles suggested, but what about an answer to the original question? Is a reboot of the DC necessary in order to apply changes made to the schema?
              Last edited by blashmet; 3rd June 2014, 23:40.

              Comment


              • #8
                Re: Increase Number of "Log on to" Workstations

                As far as rebooting goes, if you have one DC, worth a try, if you have many, check replication from the schema master fsmo holder.

                btw, what OS are the DCs running, and what domain and forest FLs are you at?

                Regarding the change, you say earlier that you "do not need to" and you "kept doing it that way" but now you say "its a security thing" - so which is it, and is there really a security reason (No, Mr Bond, we expect your logon to fail....)

                I have never, ever, had to limit users to particular workstations, and in an environment with >64 workstations (since you need to raise the default limit) and presumably >64 users too, you are setting yourself up for a great deal of administration managing it on a computer by computer basis. The setting is really a hangover from windows NT, before group policies were invented.

                The preferred solution (as Rickles indicated) would be to group the users into security groups, and the workstations into OUs, then use the Group Policy setting to "allow logon locally" for an OU to the relevant group of users. Even this would be high maintenance depending on the combinations of users and computers you need to support.
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: Increase Number of "Log on to" Workstations

                  I've had a read of the KB article referenced in the original post. And it states quite clearly that the limitation is by design. Where they make an off-hand comment that this can be extended (from 1024 max characters to 8192), they also don't recommend you do it. And the original size limitation is the same from Win2000 up through 2012, according to the follow-up link given in that KB article.

                  I've also had a read of another MS article, at:
                  http://technet.microsoft.com/en-us/m...05.schema.aspx

                  It gives a fairly concise explanation of how to modify the schema of a forest (single-tree or multiple-tree, it's the same thing), and while it is a bit long-winded, in the conclusion it also states without ambiguity that changing the schema is something to be done when nothing else will do. But to answer your question, it appears that no reboot is required. But as Ossian said, worth a try.

                  But as also pointed out, with the # of users vs the # of PCs that you want to regulate logins for now, and your environment is still growing to whatever degree, it still is a much simpler solution to use Group Policy. Add users to groups, sort the PCs into OUs, and apply 'Allow logon locally' user rights centrally through Group Policy to those OUs, with security filtering applying to only the appropriate group, not the default 'Authenticate Users'. Your daily admin task is then simple group membership in AD. There must be some system which divides up which PC(s) a user can log into, or which users are allowed to log into a given PC, no? Use that logic to define your policy approach, make those changes, then remove the 'Log on to..' listing in everyone's user account properties.
                  *RicklesP*
                  MSCA (2003/XP), Security+, CCNA

                  ** Remember: credit where credit is due, and reputation points as appropriate **

                  Comment


                  • #10
                    Re: Increase Number of "Log on to" Workstations

                    Originally posted by RicklesP View Post
                    I've had a read of the KB article referenced in the original post. And it states quite clearly that the limitation is by design. Where they make an off-hand comment that this can be extended (from 1024 max characters to 8192), they also don't recommend you do it. And the original size limitation is the same from Win2000 up through 2012, according to the follow-up link given in that KB article.

                    I've also had a read of another MS article, at:


                    It gives a fairly concise explanation of how to modify the schema of a forest (single-tree or multiple-tree, it's the same thing), and while it is a bit long-winded, in the conclusion it also states without ambiguity that changing the schema is something to be done when nothing else will do. But to answer your question, it appears that no reboot is required. But as Ossian said, worth a try.

                    But as also pointed out, with the # of users vs the # of PCs that you want to regulate logins for now, and your environment is still growing to whatever degree, it still is a much simpler solution to use Group Policy. Add users to groups, sort the PCs into OUs, and apply 'Allow logon locally' user rights centrally through Group Policy to those OUs, with security filtering applying to only the appropriate group, not the default 'Authenticate Users'. Your daily admin task is then simple group membership in AD. There must be some system which divides up which PC(s) a user can log into, or which users are allowed to log into a given PC, no? Use that logic to define your policy approach, make those changes, then remove the 'Log on to..' listing in everyone's user account properties.

                    We already have users added to groups and PCs separated into OUs. I think the problem is that each member of the group isn't allowed to logon to all of the same PC's.

                    Comment


                    • #11
                      Re: Increase Number of "Log on to" Workstations

                      Once again, what is the precise security reason that a particular user is only allowed to log onto certain PCs?

                      (and what happens if all those PCs are in use/broken/otherwise not available?)
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: Increase Number of "Log on to" Workstations

                        Originally posted by Ossian View Post
                        Once again, what is the precise security reason that a particular user is only allowed to log onto certain PCs?

                        (and what happens if all those PCs are in use/broken/otherwise not available?)
                        Users in the "engineering" group shouldn't be logging on to, for example, systems in the Accounting department. Even if their permissions after logging on prevented them from doing anything malicious, I think we'd rather have them ask IT to log on so we know what they are doing and when.

                        I'm not sure what you mean by "if all those PCs are in use/broken/etc.". If a machine is broken and someone tries to log on to it, they won't be able to (but I'm sure I misunderstood what you're asking )

                        Comment


                        • #13
                          Re: Increase Number of "Log on to" Workstations

                          In the scenario you outline, group policy is the way to go - organise your PCs into OUs and your users into groups (new groups if you need to) then use the "allow logon locally" policy to restrict users.

                          Maintaining an individual user "allow list" will lead to chaos, not to mention "fear, uncertainty and doubt"

                          Have to say, though, it still seems OTT - as long as there is no sensitive accounts data on it (and there should NOT be as it should all live on servers), I don't see a problem with an engineer slumming with the bean-counters and using one of their PCs once in a while
                          (OK, accountants visiting engineers will obviously never happen )
                          Tom Jones
                          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                          PhD, MSc, FIAP, MIITT
                          IT Trainer / Consultant
                          Ossian Ltd
                          Scotland

                          ** Remember to give credit where credit is due and leave reputation points where appropriate **

                          Comment


                          • #14
                            Re: Increase Number of "Log on to" Workstations

                            Ossian/RicklesP,

                            I'm trying to test your suggestion of allowing logon rights through group policy, but the test user can't logon. Here is what I have so far:

                            1. A user called "EngTest" that belongs to the Engineering users group and is located in the "Users - Engineering" OU. I added one system (that doesn't really exist) to his "logon to" list to prevent the "Allow logon to all systems" from being checked.

                            2. A computer (call it COMP1) in the "Computer - Engineering" OU.

                            3. A GPO linked to the "Computers - Engineering" OU with the following properties:

                            a. Security filtering: the settings in this GPO can only apply to the following groups, users, and computers: Authenticated users, COMP1, Domain\Engineering

                            b.Computer Config>Policies>Windows Settings>Security Settings>Local Policies/User Rights Assignment> Allow Log On Locally = Domain\Engineering and Allow log on through Terminal Services = Domain\Engineering

                            c. Enabled\Enforced


                            4. I logged onto COMP1 with my admin account and ran gpupdate/force.

                            5. I tried logging on to COMP1 with EngTest, but it says "Your account is configured to prevent you from using this computer."

                            Any ideas what I'm missing?

                            Comment


                            • #15
                              Re: Increase Number of "Log on to" Workstations

                              If you're going to use GP to limit who can log into which machine, clear the single non-existent Pc name form the user's Log On to list, and check 'Allow logon to all systems.' Since the user's property specifies only 1 PC, policy doesn't get tested as the login is killed before it gets to that point.

                              Once you've done that, verify whether this test user can log onto this PC. Assuming all is OK, see if another test user who isn't in the Engineering Group can or cannot log into the same PC (shouldn't be able to.) No need to reinforce policy on this test, just user vs. group membership.

                              Once you're happy with how to relate the different groups to PC lists in OUs and the policies for each, then the planning for rollout starts.

                              IMPORTANT: This group policy you're setting will override the same setting on the client PCs. I believe that if you check the policy on any PC you haven't used for testing, you'll see that 'Builtin\Administrators, Authenticated Users' as a minimum are already entered at the PC. The 'Builtin\Administrators' group is just that, an admin group which includes Domain Admins by default. Enforcing this policy from the domain using GP will replace those settings, which means you may not be able to log in as an admin once enforced, unless you include the 'builtin\administrators' group in the security filtering of the policy. That's a habit you want to get into, so as not to lock yourself out. For each GP you create, be sure to add the admin group as well as the desired user group.
                              Last edited by RicklesP; 23rd June 2014, 21:36. Reason: Update to recommendation
                              *RicklesP*
                              MSCA (2003/XP), Security+, CCNA

                              ** Remember: credit where credit is due, and reputation points as appropriate **

                              Comment

                              Working...
                              X