Академический Документы
Профессиональный Документы
Культура Документы
RestrictingInteractiveUserLogons|SecuritycontentfromWindowsITPro
IT/DevConnections
Forums
Store
REGISTER LOGIN
Windows
ExchangeServer
SharePoint
Virtualization
Cloud
SystemsManagement
Training
InfoCenters
RestrictingInteractiveUserLogons
JanDeClercq|WindowsITPro
Tweet
Advertisement
JohnSavill'sHyperV
MasterClass
Mar27,2006
Recommend
COMMENTS 1
Q:HowcanIrestrictWindowsuserscapabilitytolog
oninteractivelytoWindowsfromtheWindows
consoleinanActiveDirectory(AD)environment?
JoinJohnSavillfor12hoursofcomprehensive
HyperVtraining.Thismasterlevelonlinetraining
coursewillexploreallthekeyaspectsofaHyperV
basedvirtualizationenvironmentcoveringboth
A:AWindowsusercanstartaninteractivelogonprocess
bypressingtheCtrl+Alt+Delkeysequence,byrequestinga
secondarylogonsessionusing,forexample,therunas
commandlineutility,orbystartingaconnectiontoanother
machineusingTerminalServicesorRemoteDesktop.Ina
WindowsADenvironment,youcancentrallycontrolinteractivelogonbyusinglogon
rightsorusingasetofADuseraccountobjectproperties.
currentcapabilitiesinWindowsServer2012R2and
TheLogonlocallylogonrightcontrolswhocanlogoninteractivelytoaWindows
machineusingCtrl+Alt+Delorbystartingasecondarylogonsession.InWindows2000,
thislogonrightwasalsorequiredtologonusingTerminalServicesorRemoteDesktop.
InWindowsServer2003andWin2KServicePack2(SP2)andlater,TerminalServices
andRemoteDesktopbasedinteractivelogonsarecontrolledusingtheAllowlogon
throughTerminalServiceslogonright.InWin2K,MicrosoftalsointroducedtheDeny
logonlocallyandDenyLogonthroughTerminalServicesuserrights.
May7th
Denylogonlocallydeniesausertheabilitytologonatthecomputersconsoleusing
Ctrl+Alt+DelortheWelcomescreenorbystartingasecondarylogonsession.Ithas
precedenceovertheLogonlocallyright.
DenyLogonthroughTerminalServicesdeniesausertheabilitytologonusingTerminal
ServicesorRemoteDesktop.IthasprecedenceovertheLogonthroughTerminal
Servicesright.
lookingatthefuturewithWindowsServervNext.
Investafewhourseachweekandbecomethe#1
HyperVexpertinyourorganization.
SessionsmeetThursdays,April16ththrough
ReserveyourspacebyApril6thforachance
towinoneoffivecopiesofJohn'sbook
MasteringHyperV2012R2withSystem
CenterandAzure!
Advertisement
TheDenylogonrightscanbeveryhandyinlargeWindowssetups.Forexample,
assumeyouwanttogiveeveryonewiththeexceptionofacoupleofspecific
accountstherighttoLogonlocally.Inthatcase,it'smucheasiertograntthe
AuthenticatedUsersgrouptheLogonlocallyrightandthespecificaccountsthe
Denylogonlocallyright,insteadoffiguringoutalltheaccountsthatshouldhave
access,puttingtheminaspecialgroup,andgivingthisgroupLogonlocally
right.
InADenvironments,youcanassignandmanageWindowslogonrightsfromthe
MicrosoftManagementConsole(MMC)GroupPolicyObject(GPO)snapin.To
accesstheGPOMMCsnapin,starttheMMC,thenloadtheGPOsnapin.
Formanagingthelogonrightsondomainjoinedmachines,selecttheDefaultDomain
GPO.
Formanagingthelogonrightsondomaincontrollers(DCs),selecttheDefaultDomain
http://windowsitpro.com/security/restrictinginteractiveuserlogons
1/3
27/03/2015
RestrictingInteractiveUserLogons|SecuritycontentfromWindowsITPro
ControllersGPO.IntheGPOMMCsnapin,youcanassignlogonrightsfromthe
ComputerConfiguration\WindowsSettings\SecuritySettings\LocalPolicies\UserRights
Assignmentscontainer.
Anotherveryefficientmechanismtorestrictausersinteractivelogonrightsistorestrict
themachinestowhichausercanlogoninteractively.ADadministratorscanrestrictto
whichdomainmachinesadomainusercanlogoninteractivelybyusingtheADLogOn
Touseraccountproperty.YoucanassessthispropertyfromtheAccounttabofthe
usersaccountproperties(asFigure1shows)intheMMCADUsersandComputerssnap
in.Torestrictthemachinesausercanlogontointeractively,selectThefollowing
computersradiobutton.YoucanthenaddmachinesbytypingtheirNetBIOSnamein
theComputerNamefieldandclickingAdd.ADstoresthisdataasacommaseparated
listintheuserworkstationsuseraccountADattribute.TheLogOnTodomainuser
accountpropertydoesn'taffectauserscapabilitytologonlocallytoamachineusinga
localaccount.
WindowsITProCommunity
SignupforWindowsITProUPDATEnewsletter.
emailaddress
Country
Enteryouremailabovetoreceivemessagesabout
offeringsbyPenton,itsbrands,affiliatesand/orthird
partypartners,consistentwithPentonsPrivacyPolicy.
TheAccounttabintheADUsersandComputersuseraccountpropertiescontains
anotherfeaturethatyoucanusetorestrictauserslogonbehavior:theLogonHours
buttonallowsanADadministratortorestrictthehoursausercanlogontothedomain.
Thesetimerestrictionsapplytoalllogontypes(notonlyinteractivelogon,butalso
networklogon)anddon'timpactauserscapabilitytologonlocallytoamachineusinga
localaccount.
TheLogOnToandLogonHoursdomainuseraccountrestrictionsalsoapply
whenauserstartsasecondarylogonsessionorwhenauserlogsonusingaTerminal
ServicesorRemoteDesktopconnection.
Tweet
DiscussthisArticle
Recommend
WindowsForums
TheWindowsITProforums
aremovingtomyITforum.com!
Getanswerstoquestions,
sharetips,andengagewith
theITprofessional
community.
FeaturedProducts
ProtectingYourCompanyAgainst
aHack
onMar28,2006
Justin(notverified)
IthinkMSshouldthinkoutoftheboxandincorporatethefeatureofVirtualPCintoVista,ina
waythatallowspeopletousethevirtualenvironmenttoprotectthehostfromanythingthe
Internethastooffer.IpersonallyusetheInternetfreefromallhackerfrustrationinstalling
WindowsXPProoffa.vhdfileenablingtheundodiskfeaturetoerasehacker,virus,malware,
spyware,etcfromexistence.Idothisbyburningthe.vhdfiletoCDandthenusingtheundo
diskfeaturetorecoverinstantlyfromanyissuesregardinganyattacksagainstmyInternet
experience.IonlyinstallInternetspeakingappsinthevirtualworld,leavingthehostwith
nothingbutlocalappsandgamesthatneverneedtoseethelightoftheInternet,thisalong
withthestandardsecurityprotection,antivirus,firewalls,antispyware,loopbackconfigured
hostfilesthatwouldpreventmostofthesetypesofattacksfromharmingmysystem.Istillsee
thingsthatattackthesystem,buttheseviruses,andtrojansthinktheyareattackingareal
systemandinfactitismorelikeahoneypot.FurthermoreIpreventthelocalhostfrombeing
abletoseetheinternetusingthefirewallanddisablingservicesthatarerequiredtomakeit
workonthelocalhostallwhilebeingabletosurfevenknowndangeroussiteswithoutworryor
concernbecauseIhavetakenmyfocusawayfromtheunsuccessfultaskofpreventingthese
kindsofattacks,andputitoninstantrecoveryinstead.Istillprotectthesysteminallofthe
traditionalwaysbutnowIcandowhateverIwantontheInternetandstickittotheattackers
anotherway.MSneedstobuildaVirtualPCappintoVistatoallowthiskindoftechniquetobe
usedwidespread.TomeitistheclosestthingtobeingunhackablesincetheCDROMisread
onlythebesttheycandotomeiswreakmytemp.vhdwhichIcanturnoffandpatchthensurf
again.Thanks,JustinKaliskalisjr@yahoo.com
PresentedbyAlanSugano
Thursday,March26th
EnrollNowandSave$75!
Ahack...
AdvancedOSDwithSystem
Center2012R2Configuration
Manager
PresentedbyJohanArwidmark
Tuesday,April7th
EnrollNowandSave$75!
In...
JohnSavill'sHyperVMaster
Class
PresentedbyJohnSavill
Thursdays,April16thMay7th
EnrollNowandSave$160!...
VIEWCATALOG VIEWSHOPPINGCART
Advertisement
Loginorregistertopostcomments
PleaseLogInorRegistertopostcomments.
Related Articles
RestrictingInteractiveUserLogons
AccessDeniedUnderstandingtheUserPrivilegesthatEventID578Logs
http://windowsitpro.com/security/restrictinginteractiveuserlogons
2/3
27/03/2015
RestrictingInteractiveUserLogons|SecuritycontentfromWindowsITPro
AccessDeniedUnderstandingtheUserPrivilegesthatEventID578Logs
AccessDenied:PreventingAnonymousUsersfromGainingAccesstoFilesandOther
Resources
AccessDenied:PreventingAnonymousUsersfromGainingAccesstoFilesandOther
Resources
WindowsITPro.com
Windows ExchangeServer SharePoint Virtualization Cloud SystemsManagement
Site Features
Penton
ContactUs
PrivacyPolicy
Awards
TermsofService
CommunitySponsors
Advertise
MediaCenter
Follow Us
RSS
Search WindowsITPro.com
Sitemap
SiteArchive
ViewMobileSite
Related Sites
DevPro SharePointPro SQLServerPro SuperSiteforWindows IT/DevConnections myITforum
Copyright2015Penton
http://windowsitpro.com/security/restrictinginteractiveuserlogons
3/3