How to restrict use of a computer to one domain user only

Article ID: 555317 - View products that this article applies to.
Author: Yuval Sinay MVP
Expand all | Collapse all

SYMPTOMS

When you create trust connection/s from one domain to another or/and one forest to another, users have option to logon to
different domain/s than their home domain (The domain that host there account/s).
 
Back to the top | Give Feedback

CAUSE

Trust connection/s from one domain to another or/and one forest to another enable user to logon to logon to
different domain/s than their  home domain (The domain that host there account/s).
The "Authenticated Users" group on each computer allow users from trusted domain to be authenticate
and logon to computer.
Back to the top | Give Feedback

RESOLUTION

 
Option A: Domain Wide Policy
 
 
By using group policy capabilities in Windows 2000/2003 Domain, you can prevent from user/s
to logon to different domain/s than their home domain (The domain that host there account/s).
 
 
1. In the target domain create a new domain wide GPO and enable "Deny logon locally" user right
     to the source domain user account/s.
 
Note: Some services (Like Backup software services) may effect by this policy, and wouldn’t function.
         To eliminate future problems, apply this policy and use GPO security filter feather.
 
Deny logon locally
 
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/537.mspx
 
Filter using security groups
 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/65424a58-aff3-4e1e-a3a1-59878cbcf005.mspx
 
 
2. Run on "Gpupdate /force" on the domain controller.
 
 
Option B: Remove "NT AUTHORITY\Authenticated Users" uses from the list of users group
 
 
To eliminate the option to logon to one or few computer, follow the instructions bellow:
 
1. Right click "My Computer" icon on the desktop.
 
2. Choose on "Manage".
 
3. Extract "Local Users and Groups".
 
4. Click on "Groups".
 
5. In the right side of the screen double click on "Users" group.
 
6. Remove: "NTAUTHORITY\Authenticated Users" from the list.
 
7. Add the require user/s or and group/s to the "Users" local group.
 

Option C: Configure "Deny logon locally" user right on the local computer/s
 
 
To eliminate the option to logon to one or few computer, follow the instructions bellow:
 
1. Go to "Start" -> "Run".
 
2. Write "Gpedit.msc"
 
3. Enable "Deny logon locally" user right to the source domain user account/s.
 
Note: Some services (Like Backup software services) may effect by this policy, and wouldn’t function.
        
 
Deny logon locally
 
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/537.mspx
 
 
3. Run "Gpupdate /force" on the local computer.
 
 
Option D: Use Selective Authentication when use Forest Trust
 
 
Creating Forest Trusts
 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/544d5801-205e-45b0-a1d7-cb9c39a7d709.mspx
 
 
Back to the top | Give Feedback

MORE INFORMATION

 
Log on locally

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/547.mspx

Group Type and Scope Usage in Windows  
http://support.microsoft.com/?kbid=231273
 
Back to the top | Give Feedback

Properties

Article ID: 555317 - Last Review: May 21, 2005 - Revision: 1.0
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows 2000 Enterprise Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Media Center Edition 2002
Keywords: 
kbpubtypecca kbpubmvp kbhowto KB555317
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top