Denying Win 2003 Active Directory Users Local Logon
I wrote a script to automatically install network printers on client machines. The intended clients will not be logging into the domain, so I need to specify a domain account and password to allow them to map to the printer share.
I wrote a script to automatically install network printers on client machines. The intended clients will not be logging into the domain, so I need to specify a domain account and password to allow them to map to the printer share. I created a user "printonly", which I only need to authenticate users so they can reach the share.
However, I do not want the "printonly" account to be able to interactively logon to desktops (effictively bypassing security if someone digs the username/pwd out of the install .EXE) There doesn't seem to be a simple way to do this in Windows Server 2003.
2000 had an option called "deny local logon"; this is what I want to accomplish. However, all the options I tried to restrict printonly's local logon ability have also affected its ability to access the printer share.
How do I disable this account's ability to logon locally without also knocking out the printer share login?
However, I do not want the "printonly" account to be able to interactively logon to desktops (effictively bypassing security if someone digs the username/pwd out of the install .EXE) There doesn't seem to be a simple way to do this in Windows Server 2003.
2000 had an option called "deny local logon"; this is what I want to accomplish. However, all the options I tried to restrict printonly's local logon ability have also affected its ability to access the printer share.
How do I disable this account's ability to logon locally without also knocking out the printer share login?
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
I've set "Deny Logon Locally" in the Group Policy Object Editor. Didn't make any difference; the printonly account was still able to interactively login at a desktop.
I also created an OU called "Restricted Users" and put the printonly account in there. I edited the policy for the new OU as well, but it's still not preventing printonly from logging onto desktops.
I also created an OU called "Restricted Users" and put the printonly account in there. I edited the policy for the new OU as well, but it's still not preventing printonly from logging onto desktops.
