Announcement

Collapse
No announcement yet.

Disable Local Logon and Creation of New Users

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Disable Local Logon and Creation of New Users

    Ok.. Setup is:
    • domain controller (2008 R2)

    • 10 workstations (xp)

    • 10 employees

    • Hot swapping/folder redirection etc.

    • But each user has to have admin rights to their 'usual PC' (which is fine, i've done this).. added to local admin group via control userpasswords2

    Problem: Currently a user (DOMAIN\User) can create another user on the local machine (COMPUTER\USER) and allow another person to logon locally with this new unmanaged account.

    I want to disallow logon locally for everybody except administrators (2008 r2 will not allow me to set 'Deny logon locally' to Everyone).. and I also want to disallow anybody except the domain administrator from creating new user accounts.

  • #2
    Re: Disable Local Logon and Creation of New Users

    Why do they need Local Admin rights?
    I they are admin, then they are admin. Nothing else to say about it actually.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Disable Local Logon and Creation of New Users

      give them power user on the desktop instead. It should allow them to do mostly what they need to do, without allowing them to create local accounts
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Disable Local Logon and Creation of New Users

        Originally posted by Dumber View Post
        Why do they need Local Admin rights?
        I they are admin, then they are admin. Nothing else to say about it actually.
        Our sales/customer management software requires users have admin permissions.

        -

        What is the difference between a Power User and an Administrator?

        Comment


        • #5
          Re: Disable Local Logon and Creation of New Users

          Hi,

          Well I agree what was stated in the other posts. If you have users as local admins then yeah they should be trusted; other wise why would they be local Admins

          You can try to run the application under a user account that has been made a member of the power users group see if this provides the necessary privledges required to run the app.

          I work in a environment with close to 10 000 users give or take and their are alot of 3rd party software. All of our users are domain users. This is not because the apps support it this is because we have worked with vendor and gathered the information where users require elevated permissions in the reg and file system and configured the permissions specfic for the app. I would recommend that you take this approach.



          Kind Regards,

          Comment

          Working...
          X