1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Only show and allow logon into Domain...

Discussion in 'Software' started by HTF, Jan 11, 2010.

  1. HTF

    HTF Byte Poster

    181
    0
    14
    Hi,

    1. How to only show and allow logon into Domain, basically I have local accounts on the laptop which I joined to domain and now I would like to prevent users from logon "to this computer"
    - I've set in GPO "deny logon locally" but this prevent me login into domain instead :)

    I could delete local accounts but this is simple way :)

    2. Another problem is with existing local profiles on this laptop, Can I copy existing, local profiles on the laptop from the server or I have to do it directly on the laptop?

    3. Is it possible to remotely install MS office packet via GPO => software installation
     
    Certifications: A+
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    1) if the user only has domain credentials then there shouldnt be an issue here. You can control local accounts with the restricted user groups in a GPO. This should prevent users logging in locally as there will be no local accounts. Would that do?

    2) You can use the profile migration wizard for this if using Windows XP.

    3) Yes, you can install Office with a GPO.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. HTF

    HTF Byte Poster

    181
    0
    14
    Hello,
    - The problem is that the user has also admin local account...

    - could you help me with this, I created such a group but I donot know how to actually prevent users from logon locally via this settings

    I've managed to install Mozilla firefox but I have a problem with office as no one of msi files working...
    Is there any way to set configuration for this, for example change the path for firefox installation or preconfigure it like default/home website ect.
     
    Certifications: A+
  4. JonnyMX

    JonnyMX Petabyte Poster

    5,239
    211
    236
    Change the password?
     
    Certifications: MCT, MCTS, i-Net+, CIW CI, Prince2, MSP, MCSD
  5. HTF

    HTF Byte Poster

    181
    0
    14
    Yes I know, I could even delete this account but as I wrote before i would like to only show and allow logon into Domain, if it's possible ;)
     
    Certifications: A+
  6. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Take him out of the local admins group, change the password as previously suggested or delete the account.

    As far as I remember, you can always log on locally if you use the admin account or are a member of the admins group, even if the local gpo is set to deny log on locally. Therefore the only way would be to remove the admin rights from the user.


    I don't think there is any way around this. You should always be able to log on locally, hence the choices of the domain or the local pc.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  7. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    I haven't got access to an XP machine where I am at the moment, although I think there is a "deny local log on" GPO you can push out.
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  8. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    I'm fairly sure Nugget is right here. Think about it, it you were able to lock down a machine to completely prevent local login, then the machine is a brick if it ever develops a networking issue. You cant log on to diagnose.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  9. Josiahb

    Josiahb Gigabyte Poster

    1,336
    40
    97
    This is my thinking on it as well, local logon is almost always required by admins at some point. For instance I had a machine recently that suffered a virus infection which flooded our out going net connection (fun to clean up :dry) I took the machine off network, logged in locally and ran the in depth virus scan necessary to remove the bastard thing.

    Delete the account or change the password.
     
    Certifications: A+, Network+, MCDST, ACA – Mac Integration 10.10
  10. HTF

    HTF Byte Poster

    181
    0
    14
    Ok thank you for all help, one more question:

    How to allow users install software/programs?
     
    Certifications: A+
  11. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224

    Give them admin rights. :twisted:

    Just kidding. That's what helpdesk, network and system admins are for. If you start letting the users install porgrams then after the first couple of "legitimate" installs you'll end up with all sorts of spyware, crapware and viruses in the system.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  12. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Is this part of the GPO any use?

    Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment...

    In there you will find "Log on locally"

    To be honest what you are trying is kinda risky, you would want at least one account you can use to log on locally.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...