workstation LOCKED to a single domain account?

mrbinarymrbinary Member Posts: 19 ■□□□□□□□□□
just curious about this question, i work in the desktop/server support team and we recently moved buildings and part of our job was to move computers and reconnect and make sure we can logon so come Monday morning users have network connectivity etc.

i noticed one particular workstation, i have domain admin and local admin to all these computers because i am on the team that deploys new hardware, and this one machine i wasn\t not able to logon. upon further inspection i came to know its was the machine of our info sec adviser who hold many certs.

he has somehow made it where only his domain account can logon to this machine, how did this group policy get on his machine. is it a local policy he has enforced? never seen this before on any machine in the company?

Comments

  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    There are quite a few ways he could accomplish this, depending on your environment.

    He could have implemented a local GPO with the Deny Logon Locally policy. Alternatively, if there is no GPO explicitly defining the Allow Logon Locally, he could have implemented one locally. Further, he could have created a GPO that would apply only to his workstation with user rights assignments (such as the above) and override whatever other GPO(s) assign them. This could be done through group membership, a WMI filter, or security filtering.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • BGravesBGraves Member Posts: 339
    True, a review of the GPO's attached to the OU his computer object is in, or domain wide would be in order.
    If you don't have time for that, a new OU with block inheritance set, move his computer object in to it, create your own GPO with allow local login set properly, and restart his pc (if you can't remotely force a gpupdate).
    On the local machine (secpol.msc) Local policies\User Rights Assignment.
    From a GPO > Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
    Normal entries (based on your organization) Guests, Administrators, Users, Backup Operators
    Good luck!
  • mrbinarymrbinary Member Posts: 19 ■□□□□□□□□□
    thanks guys,

    so all this user was given was local admin rights to his box, he doesn\t have domain admin, but would that be enough to allow him to setup his local policy, i thought the gpo that gets pushed from ad upon logon would override his policies.
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    mrbinary wrote: »
    i thought the gpo that gets pushed from ad upon logon would override his policies.
    It would, if there were a GPO. AD GPOs override local GPOs, but there is no default GPO for the user rights assignment in question on workstation. By default, rights assignment is done for various default groups, including the local Administrators group. This could be overridden locally unless a GPO is specifically created to assign rights.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • mrbinarymrbinary Member Posts: 19 ■□□□□□□□□□
    makes sense now thanks guys.

    also i have a laptop and desktop i can acccess my laptop by going \\computername\c$ but when i go from laptop to desktop it doesnt allow me, i also cant even ping my desktop i get request time out, both on same subnet and both on domain. weird??
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    DNS or firewall, most likely.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • BGravesBGraves Member Posts: 339
    ^ptilsen beat me, and DNS is also a good option to check too. ipconfig /flushdns might be handy here if the firewall is off. *Generally when you can't ping something on the same subnet, there is a firewall involved. Check Windows Firewall settings on the desktop/laptop, I imagine that would be where your problem lies if the network settings are correct.
  • mrbinarymrbinary Member Posts: 19 ■□□□□□□□□□
    firewall is off on both machines as per gpo that gets pushed out upon logon. flush dns on both machines and both are on same subnet and pointing to same dns servers.

    i can now ping my laptop using ip not hostname so something is up with dns, however i can access my files via \\hostname\c$
  • BGravesBGraves Member Posts: 339
    nslookup might help at this point, to determine if your DNS server is working properly with the right lookup zones and information. And GPO's don't always work, so if you haven't, wouldn't hurt to check. Event logs would also be good to review, checking for warnings/errors that might relate. (trust but verify) :)
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    Try doing nslookup [hostname] as well as nslookup [FQDN]. Additionally, check that dynamic DNS updates are enabled. If WINS servers are not used and DNS and DHCP are not configured properly, an old IP address could be cached by NetBIOS, since this is following a building move.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
Sign In or Register to comment.