27/03/2015

RestrictingInteractiveUserLogons|SecuritycontentfromWindowsITPro

IT/DevConnections

Forums

Store

REGISTER LOGIN

Windows

ExchangeServer

SharePoint

Virtualization

Cloud

SystemsManagement

Training

InfoCenters

HOME > SECURITY > RESTRICTING INTERACTIVE USER LOGONS

RestrictingInteractiveUserLogons
JanDeClercq|WindowsITPro
Tweet
Advertisement

JohnSavill'sHyperV
MasterClass

Mar27,2006
Recommend

COMMENTS 1

Q:HowcanIrestrictWindowsuserscapabilitytolog
oninteractivelytoWindowsfromtheWindows
consoleinanActiveDirectory(AD)environment?

JoinJohnSavillfor12hoursofcomprehensive
HyperVtraining.Thismasterlevelonlinetraining
coursewillexploreallthekeyaspectsofaHyperV
basedvirtualizationenvironmentcoveringboth

A:AWindowsusercanstartaninteractivelogonprocess
bypressingtheCtrl+Alt+Delkeysequence,byrequestinga
secondarylogonsessionusing,forexample,therunas
commandlineutility,orbystartingaconnectiontoanother
machineusingTerminalServicesorRemoteDesktop.Ina
WindowsADenvironment,youcancentrallycontrolinteractivelogonbyusinglogon
rightsorusingasetofADuseraccountobjectproperties.

currentcapabilitiesinWindowsServer2012R2and

TheLogonlocallylogonrightcontrolswhocanlogoninteractivelytoaWindows
machineusingCtrl+Alt+Delorbystartingasecondarylogonsession.InWindows2000,
thislogonrightwasalsorequiredtologonusingTerminalServicesorRemoteDesktop.
InWindowsServer2003andWin2KServicePack2(SP2)andlater,TerminalServices
andRemoteDesktopbasedinteractivelogonsarecontrolledusingtheAllowlogon
throughTerminalServiceslogonright.InWin2K,MicrosoftalsointroducedtheDeny
logonlocallyandDenyLogonthroughTerminalServicesuserrights.

May7th

Denylogonlocallydeniesausertheabilitytologonatthecomputersconsoleusing
Ctrl+Alt+DelortheWelcomescreenorbystartingasecondarylogonsession.Ithas
precedenceovertheLogonlocallyright.
DenyLogonthroughTerminalServicesdeniesausertheabilitytologonusingTerminal
ServicesorRemoteDesktop.IthasprecedenceovertheLogonthroughTerminal
Servicesright.

lookingatthefuturewithWindowsServervNext.

Investafewhourseachweekandbecomethe#1
HyperVexpertinyourorganization.

SessionsmeetThursdays,April16ththrough

ReserveyourspacebyApril6thforachance
towinoneoffivecopiesofJohn'sbook
MasteringHyperV2012R2withSystem
CenterandAzure!
Advertisement

TheDenylogonrightscanbeveryhandyinlargeWindowssetups.Forexample,
assumeyouwanttogiveeveryonewiththeexceptionofacoupleofspecific
accountstherighttoLogonlocally.Inthatcase,it'smucheasiertograntthe
AuthenticatedUsersgrouptheLogonlocallyrightandthespecificaccountsthe
Denylogonlocallyright,insteadoffiguringoutalltheaccountsthatshouldhave
access,puttingtheminaspecialgroup,andgivingthisgroupLogonlocally
right.
InADenvironments,youcanassignandmanageWindowslogonrightsfromthe
MicrosoftManagementConsole(MMC)GroupPolicyObject(GPO)snapin.To
accesstheGPOMMCsnapin,starttheMMC,thenloadtheGPOsnapin.
Formanagingthelogonrightsondomainjoinedmachines,selecttheDefaultDomain
GPO.
Formanagingthelogonrightsondomaincontrollers(DCs),selecttheDefaultDomain

http://windowsitpro.com/security/restrictinginteractiveuserlogons

1/3

27/03/2015

RestrictingInteractiveUserLogons|SecuritycontentfromWindowsITPro
ControllersGPO.IntheGPOMMCsnapin,youcanassignlogonrightsfromthe
ComputerConfiguration\WindowsSettings\SecuritySettings\LocalPolicies\UserRights
Assignmentscontainer.

Anotherveryefficientmechanismtorestrictausersinteractivelogonrightsistorestrict
themachinestowhichausercanlogoninteractively.ADadministratorscanrestrictto
whichdomainmachinesadomainusercanlogoninteractivelybyusingtheADLogOn
Touseraccountproperty.YoucanassessthispropertyfromtheAccounttabofthe
usersaccountproperties(asFigure1shows)intheMMCADUsersandComputerssnap
in.Torestrictthemachinesausercanlogontointeractively,selectThefollowing
computersradiobutton.YoucanthenaddmachinesbytypingtheirNetBIOSnamein
theComputerNamefieldandclickingAdd.ADstoresthisdataasacommaseparated
listintheuserworkstationsuseraccountADattribute.TheLogOnTodomainuser
accountpropertydoesn'taffectauserscapabilitytologonlocallytoamachineusinga
localaccount.

WindowsITProCommunity
SignupforWindowsITProUPDATEnewsletter.

emailaddress
Country
Enteryouremailabovetoreceivemessagesabout
offeringsbyPenton,itsbrands,affiliatesand/orthird
partypartners,consistentwithPentonsPrivacyPolicy.

TheAccounttabintheADUsersandComputersuseraccountpropertiescontains
anotherfeaturethatyoucanusetorestrictauserslogonbehavior:theLogonHours
buttonallowsanADadministratortorestrictthehoursausercanlogontothedomain.
Thesetimerestrictionsapplytoalllogontypes(notonlyinteractivelogon,butalso
networklogon)anddon'timpactauserscapabilitytologonlocallytoamachineusinga
localaccount.
TheLogOnToandLogonHoursdomainuseraccountrestrictionsalsoapply
whenauserstartsasecondarylogonsessionorwhenauserlogsonusingaTerminal
ServicesorRemoteDesktopconnection.

Tweet

DiscussthisArticle

Recommend

WindowsForums
TheWindowsITProforums
aremovingtomyITforum.com!
Getanswerstoquestions,
sharetips,andengagewith
theITprofessional
community.

FeaturedProducts

ProtectingYourCompanyAgainst
aHack

onMar28,2006

Justin(notverified)

IthinkMSshouldthinkoutoftheboxandincorporatethefeatureofVirtualPCintoVista,ina
waythatallowspeopletousethevirtualenvironmenttoprotectthehostfromanythingthe
Internethastooffer.IpersonallyusetheInternetfreefromallhackerfrustrationinstalling
WindowsXPProoffa.vhdfileenablingtheundodiskfeaturetoerasehacker,virus,malware,
spyware,etcfromexistence.Idothisbyburningthe.vhdfiletoCDandthenusingtheundo
diskfeaturetorecoverinstantlyfromanyissuesregardinganyattacksagainstmyInternet
experience.IonlyinstallInternetspeakingappsinthevirtualworld,leavingthehostwith
nothingbutlocalappsandgamesthatneverneedtoseethelightoftheInternet,thisalong
withthestandardsecurityprotection,antivirus,firewalls,antispyware,loopbackconfigured
hostfilesthatwouldpreventmostofthesetypesofattacksfromharmingmysystem.Istillsee
thingsthatattackthesystem,buttheseviruses,andtrojansthinktheyareattackingareal
systemandinfactitismorelikeahoneypot.FurthermoreIpreventthelocalhostfrombeing
abletoseetheinternetusingthefirewallanddisablingservicesthatarerequiredtomakeit
workonthelocalhostallwhilebeingabletosurfevenknowndangeroussiteswithoutworryor
concernbecauseIhavetakenmyfocusawayfromtheunsuccessfultaskofpreventingthese
kindsofattacks,andputitoninstantrecoveryinstead.Istillprotectthesysteminallofthe
traditionalwaysbutnowIcandowhateverIwantontheInternetandstickittotheattackers
anotherway.MSneedstobuildaVirtualPCappintoVistatoallowthiskindoftechniquetobe
usedwidespread.TomeitistheclosestthingtobeingunhackablesincetheCDROMisread
onlythebesttheycandotomeiswreakmytemp.vhdwhichIcanturnoffandpatchthensurf
again.Thanks,JustinKaliskalisjr@yahoo.com

PresentedbyAlanSugano
Thursday,March26th
EnrollNowandSave$75!
Ahack...

AdvancedOSDwithSystem
Center2012R2Configuration
Manager
PresentedbyJohanArwidmark
Tuesday,April7th
EnrollNowandSave$75!
In...

JohnSavill'sHyperVMaster
Class
PresentedbyJohnSavill
Thursdays,April16thMay7th
EnrollNowandSave$160!...
VIEWCATALOG VIEWSHOPPINGCART

Advertisement

Loginorregistertopostcomments

PleaseLogInorRegistertopostcomments.

Related Articles
RestrictingInteractiveUserLogons

AccessDeniedUnderstandingtheUserPrivilegesthatEventID578Logs

http://windowsitpro.com/security/restrictinginteractiveuserlogons

2/3

27/03/2015

RestrictingInteractiveUserLogons|SecuritycontentfromWindowsITPro

AccessDeniedUnderstandingtheUserPrivilegesthatEventID578Logs
AccessDenied:PreventingAnonymousUsersfromGainingAccesstoFilesandOther
Resources
AccessDenied:PreventingAnonymousUsersfromGainingAccesstoFilesandOther
Resources

WindowsITPro.com
Windows ExchangeServer SharePoint Virtualization Cloud SystemsManagement

Site Features

Penton

ContactUs

PrivacyPolicy

Awards

TermsofService

CommunitySponsors

Advertise

MediaCenter

Follow Us

RSS

Search WindowsITPro.com

Sitemap
SiteArchive
ViewMobileSite

Related Sites
DevPro SharePointPro SQLServerPro SuperSiteforWindows IT/DevConnections myITforum

Copyright2015Penton

http://windowsitpro.com/security/restrictinginteractiveuserlogons

3/3