workstation LOCKED to a single domain account?

mrbinary

just curious about this question, i work in the desktop/server support team and we recently moved buildings and part of our job was to move computers and reconnect and make sure we can logon so come Monday morning users have network connectivity etc.

i noticed one particular workstation, i have domain admin and local admin to all these computers because i am on the team that deploys new hardware, and this one machine i wasn\t not able to logon. upon further inspection i came to know its was the machine of our info sec adviser who hold many certs.

he has somehow made it where only his domain account can logon to this machine, how did this group policy get on his machine. is it a local policy he has enforced? never seen this before on any machine in the company?

ptilsen

There are quite a few ways he could accomplish this, depending on your environment.

He could have implemented a local GPO with the Deny Logon Locally policy. Alternatively, if there is no GPO explicitly defining the Allow Logon Locally, he could have implemented one locally. Further, he could have created a GPO that would apply only to his workstation with user rights assignments (such as the above) and override whatever other GPO(s) assign them. This could be done through group membership, a WMI filter, or security filtering.

BGraves

True, a review of the GPO's attached to the OU his computer object is in, or domain wide would be in order.
If you don't have time for that, a new OU with block inheritance set, move his computer object in to it, create your own GPO with allow local login set properly, and restart his pc (if you can't remotely force a gpupdate).
On the local machine (secpol.msc) Local policies\User Rights Assignment.
From a GPO > Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Normal entries (based on your organization) Guests, Administrators, Users, Backup Operators
Good luck!

mrbinary

thanks guys,

so all this user was given was local admin rights to his box, he doesn\t have domain admin, but would that be enough to allow him to setup his local policy, i thought the gpo that gets pushed from ad upon logon would override his policies.

ptilsen

mrbinary wrote: »

i thought the gpo that gets pushed from ad upon logon would override his policies.

It would, if there were a GPO. AD GPOs override local GPOs, but there is no default GPO for the user rights assignment in question on workstation. By default, rights assignment is done for various default groups, including the local Administrators group. This could be overridden locally unless a GPO is specifically created to assign rights.

mrbinary

makes sense now thanks guys.

also i have a laptop and desktop i can acccess my laptop by going \\computername\c$ but when i go from laptop to desktop it doesnt allow me, i also cant even ping my desktop i get request time out, both on same subnet and both on domain. weird??

ptilsen

DNS or firewall, most likely.

BGraves

^ptilsen beat me, and DNS is also a good option to check too. ipconfig /flushdns might be handy here if the firewall is off. *Generally when you can't ping something on the same subnet, there is a firewall involved. Check Windows Firewall settings on the desktop/laptop, I imagine that would be where your problem lies if the network settings are correct.

mrbinary

firewall is off on both machines as per gpo that gets pushed out upon logon. flush dns on both machines and both are on same subnet and pointing to same dns servers.

i can now ping my laptop using ip not hostname so something is up with dns, however i can access my files via \\hostname\c$

BGraves

nslookup might help at this point, to determine if your DNS server is working properly with the right lookup zones and information. And GPO's don't always work, so if you haven't, wouldn't hurt to check. Event logs would also be good to review, checking for warnings/errors that might relate. (trust but verify)

ptilsen

Try doing nslookup [hostname] as well as nslookup [FQDN]. Additionally, check that dynamic DNS updates are enabled. If WINS servers are not used and DNS and DHCP are not configured properly, an old IP address could be cached by NetBIOS, since this is following a building move.