Stopping A User Logging On - Computer Specific

Reply Subscribe

Thread Tools

Search this Thread

08 June 2003, 08:28 AM

Foot_Tapper

Scooby Regular

Thread Starter

Join Date: Aug 2002

Posts: 1,977

Likes: 0

Received 0 Likes on 0 Posts

Create a local group "cd user", create a global group "Global cd user".
Open local group, add global to local.
Apply permissions to executable, for admins and local group, and remove all others.
Anyone you need to access software, add them to global group.

You could apply "cacls" to whole of directory if you wanted, but the above should do the trick.

[Edited by Foot_Tapper - 8/6/2003 8:40:34 AM]

Reply Like

08 June 2003, 08:46 AM

Foot_Tapper

Scooby Regular

Thread Starter

Join Date: Aug 2002

Posts: 1,977

Likes: 0

Received 0 Likes on 0 Posts

Here's an example of what you can put in a batch file.

rem Make local group
net localgroup LG-CDWRITER/ADD /COMMENT:"CD WRITER Group"

rem lock down directory
CACLS "C:\PROG FILES\CDWRITER" /E /T /C /P LG-CDWRITER:C /R Users

REM ADD GLOBAL TO LOCAL GROUP
net localgroup LG-CDWRITER GG-CDWRITER /ADD

I can provide a copy of cacls if required

only 18kb

[Edited by Foot_Tapper - 8/6/2003 8:47:51 AM]

Reply Like

05 August 2003, 07:02 PM

Puff The Magic Wagon!

Moderator

iTrader: (2)

Join Date: May 2000

Location: From far, far away...

Posts: 16,978

Likes: 1

Received 15 Likes on 9 Posts

W2K & AD

Want to stop a user logging onto a particular computer but NP with the rest of the domain. (Say its the one with the CD Burner & I don't want them d/loading progs in work time & burning them for home)

Whats the best way to achieve it?

Reply Like

05 August 2003, 07:23 PM

*Sonic*

Scooby Regular

Join Date: May 2004

Location: R.I.P Piphead, at least you are home now :(

Posts: 10,026

Likes: 9

Received 15 Likes on 10 Posts

Cant you deny a Workstation in their Profile?

or alternativley just remove their access from the said cd writing machine

Or deny CD Rom access in a Group Policy (security settings)

or create a new container in AD, move that Computer (assuming it is win2k, and a member of the domain) into that new container

Create a Group Policy Object, remove CD Rom access in the group policy, and remove the apply group policy for all users except that one

Reply Like

05 August 2003, 08:25 PM

Puff The Magic Wagon!

Moderator

iTrader: (2)

Join Date: May 2000

Location: From far, far away...

Posts: 16,978

Likes: 1

Received 15 Likes on 9 Posts

OK - CD-ROM was a blind, its that + the "additional" certain progs on a PC that I wish to stop the user having access to - so lowest common denominator is "the PC".

Reply Like

05 August 2003, 08:54 PM

*Sonic*

Scooby Regular

Join Date: May 2004

Location: R.I.P Piphead, at least you are home now :(

Posts: 10,026

Likes: 9

Received 15 Likes on 10 Posts

hehe ok

If the computer is a member of the domain, then use NTFS permissions on local workstation on the folders

Are these progs accessed via the network, or does the user physically sit at the PC

Reply Like

05 August 2003, 08:56 PM

DSOTM

Scooby Regular

Join Date: Jul 2003

Posts: 75

Likes: 0

Received 0 Likes on 0 Posts

If you're happy with "unauthorised" users not being able to log on to that workstation, you can remove the "Log on locally" user right from "Users" and include a new Domain Global group containing authorised users only.

You can do this through a new Group Policy as per Sonic, or you can set it using Local Security Policy on the machine if you want to keep the computer account with the others.
Depends how big your domain is and whether or not you're likely to want to replicate this to other machines.

For the application permissions, just include in your Policy some file level security (again using a Domain Global group) which restricts certain executables to members of the new group.

Reply Like

Stopping A User Logging On - Computer Specific

Stopping A User Logging On - Computer Specific

Trending Topics