workstation LOCKED to a single domain account?
just curious about this question, i work in the desktop/server support team and we recently moved buildings and part of our job was to move computers and reconnect and make sure we can logon so come Monday morning users have network connectivity etc.
i noticed one particular workstation, i have domain admin and local admin to all these computers because i am on the team that deploys new hardware, and this one machine i wasn\t not able to logon. upon further inspection i came to know its was the machine of our info sec adviser who hold many certs.
he has somehow made it where only his domain account can logon to this machine, how did this group policy get on his machine. is it a local policy he has enforced? never seen this before on any machine in the company?
i noticed one particular workstation, i have domain admin and local admin to all these computers because i am on the team that deploys new hardware, and this one machine i wasn\t not able to logon. upon further inspection i came to know its was the machine of our info sec adviser who hold many certs.
he has somehow made it where only his domain account can logon to this machine, how did this group policy get on his machine. is it a local policy he has enforced? never seen this before on any machine in the company?
Comments
He could have implemented a local GPO with the Deny Logon Locally policy. Alternatively, if there is no GPO explicitly defining the Allow Logon Locally, he could have implemented one locally. Further, he could have created a GPO that would apply only to his workstation with user rights assignments (such as the above) and override whatever other GPO(s) assign them. This could be done through group membership, a WMI filter, or security filtering.
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
If you don't have time for that, a new OU with block inheritance set, move his computer object in to it, create your own GPO with allow local login set properly, and restart his pc (if you can't remotely force a gpupdate).
On the local machine (secpol.msc) Local policies\User Rights Assignment.
From a GPO > Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Normal entries (based on your organization) Guests, Administrators, Users, Backup Operators
Good luck!
so all this user was given was local admin rights to his box, he doesn\t have domain admin, but would that be enough to allow him to setup his local policy, i thought the gpo that gets pushed from ad upon logon would override his policies.
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
also i have a laptop and desktop i can acccess my laptop by going \\computername\c$ but when i go from laptop to desktop it doesnt allow me, i also cant even ping my desktop i get request time out, both on same subnet and both on domain. weird??
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
i can now ping my laptop using ip not hostname so something is up with dns, however i can access my files via \\hostname\c$
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340