Restricting users in Windows 2000

Vintalage

I'm not sure how to do this. This is for my work PC. It is on a domain and I want to block certain users from logging on to my machine. I know where to go. It is in Administrative tools--->Local Sercurity Policy--->Local Policy--->User Right Assignment. Then a whole list of Policies shows up. I click on the ones that relate to what I want to do and make the nessary changes but it does not do what I put in. I'm getting confused. What do I do?

primesuspect

If it's on a domain, local policies do not apply. You need to apply permissions on individual files. You can only invoke policies from active directory.

Vintalage

yes, it is on a domain. I am able to go out and select the users that I don't want on my system but it doesn't seem to work right. I'll try and show you what i'm talking about

primesuspect

Right, so that's what I'm saying: Since it's on a domain, local policies will only apply to local users. As soon as someone logs on to your machine with a domain account, local policies don't mean a thing.

Vintalage

No, I know it's possible. I watched someone restrict users on a domain and it worked. So I know it's possible.

Stranger

I believe you need to have domain admin rights in order to do what you describe.

a) Either log on as a domain admin or get your own account admin rights.
b) Go to your User Rights Assignment.
c) Locate "Deny Logon Locally", double click it.
d) Click "Add...".
e) Change "Look in:" to your company domain (i.e. company.net).
d) Now double click on the users you don't want logging in on your computer.
f) Click OK when finished.
g) Check the Local Policy Setting box, click OK.

If no domain policy has been established then this will work. However, if a domain policy is established after you perform these actions then they will no longer work afterwards (you can see the message under step d states this).

It sounds like your company hasn't defined a domain policy for this situation since local users are able to deny logon to others (but they still might need domain admin rights to perform the action). Once a domain level policy is established you might not even be able to set this up anymore.

Vintalage

Originally posted by Stranger
I believe you need to have domain admin rights in order to do what you describe.

a) Either log on as a domain admin or get your own account admin rights.
b) Go to your User Rights Assignment.
c) Locate "Deny Logon Locally", double click it.
d) Click "Add...".
e) Change "Look in:" to your company domain (i.e. company.net).
d) Now double click on the users you don't want logging in on your computer.
f) Click OK when finished.
g) Check the Local Policy Setting box, click OK.

If no domain policy has been established then this will work. However, if a domain policy is established after you perform these actions then they will no longer work afterwards (you can see the message under step d states this).

It sounds like your company hasn't defined a domain policy for this situation since local users are able to deny logon to others (but they still might need domain admin rights to perform the action). Once a domain level policy is established you might not even be able to set this up anymore.

Thanx. That's exactly what I wanted. Now it works and now I know how to do it. Yes, i'm on a company domain and I have admin rights to the computer I use. It works. I did a test with a few accouts I denied access to on the computer I use and it did just that, denied those accounts.

primesuspect

<---- pwned