Denying Win 2003 Active Directory Users Local Logon
This is a discussion about Denying Win 2003 Active Directory Users Local Logon in the Everything New Technology category; I wrote a script to automatically install network printers on client machines. The intended clients will not be logging into the domain, so I need to specify a domain account and password to allow them to map to the printer share.
I wrote a script to automatically install network printers on client machines. The intended clients will not be logging into the domain, so I need to specify a domain account and password to allow them to map to the printer share. I created a user "printonly", which I only need to authenticate users so they can reach the share.
However, I do not want the "printonly" account to be able to interactively logon to desktops (effictively bypassing security if someone digs the username/pwd out of the install .EXE) There doesn't seem to be a simple way to do this in Windows Server 2003.
2000 had an option called "deny local logon"; this is what I want to accomplish. However, all the options I tried to restrict printonly's local logon ability have also affected its ability to access the printer share.
How do I disable this account's ability to logon locally without also knocking out the printer share login?
However, I do not want the "printonly" account to be able to interactively logon to desktops (effictively bypassing security if someone digs the username/pwd out of the install .EXE) There doesn't seem to be a simple way to do this in Windows Server 2003.
2000 had an option called "deny local logon"; this is what I want to accomplish. However, all the options I tried to restrict printonly's local logon ability have also affected its ability to access the printer share.
How do I disable this account's ability to logon locally without also knocking out the printer share login?
Participate in our website and join the conversation
This subject has been archived. New comments and votes cannot be submitted.
Sep 22
Sep 24
0
3 minutes
Responses to this topic
OP
I tried to deny all the logons except Batch for printonly, but it seems to make no difference. Sometimes active directory is sluggish about making those account updates, so I'll leave the changes and see if it kicks in later.
I just checked a 2k3 DC and Deny logon locally is still an option in group policy.
It's under Computer config -> Windows settings -> Security Settings -> User Rights Assignment.
Also, have you granted the account the Access this computer from the network right?
It's under Computer config -> Windows settings -> Security Settings -> User Rights Assignment.
Also, have you granted the account the Access this computer from the network right?
OP
Where is "Computer Config"? I'm not seeing it.
I have tried setting permissions in both "Domain Controller Security Policy" and "Domain Security Policy"; neither have any effect on printonly's ability to interactively login at a desktop machine.
This one's got me puzzled...
I have tried setting permissions in both "Domain Controller Security Policy" and "Domain Security Policy"; neither have any effect on printonly's ability to interactively login at a desktop machine.
This one's got me puzzled...
Open Active Directory Users and computers. Right click on your domain and choose properties. Choose group edit tab and edit properties on your default domain policy. You will see computer configuration. This is what I was talking about earlier.
OP
I've set "Deny Logon Locally" in the Group Policy Object Editor. Didn't make any difference; the printonly account was still able to interactively login at a desktop.
I also created an OU called "Restricted Users" and put the printonly account in there. I edited the policy for the new OU as well, but it's still not preventing printonly from logging onto desktops.
I also created an OU called "Restricted Users" and put the printonly account in there. I edited the policy for the new OU as well, but it's still not preventing printonly from logging onto desktops.
Try placing moving a computer account into your Restricted users group and reboot it.
This policy has to be applied to a computer for it to have effect.
This policy has to be applied to a computer for it to have effect.
OP
*Duplicate Post*
Ok, I'll try that.
Ok, I'll try that.
