Jump to content
Compatible Support Forums
Sign in to follow this  
GTwannabe

Denying Win 2003 Active Directory Users Local Logon

Recommended Posts

I wrote a script to automatically install network printers on client machines. The intended clients will not be logging into the domain, so I need to specify a domain account and password to allow them to map to the printer share. I created a user "printonly", which I only need to authenticate users so they can reach the share.

 

However, I do not want the "printonly" account to be able to interactively logon to desktops (effictively bypassing security if someone digs the username/pwd out of the install .EXE) There doesn't seem to be a simple way to do this in Windows Server 2003.

 

2000 had an option called "deny local logon"; this is what I want to accomplish. However, all the options I tried to restrict printonly's local logon ability have also affected its ability to access the printer share.

 

How do I disable this account's ability to logon locally without also knocking out the printer share login?

Share this post


Link to post

I tried to deny all the logons except Batch for printonly, but it seems to make no difference. Sometimes active directory is sluggish about making those account updates, so I'll leave the changes and see if it kicks in later.

Share this post


Link to post

I just checked a 2k3 DC and Deny logon locally is still an option in group policy.

 

It's under Computer config -> Windows settings -> Security Settings -> User Rights Assignment.

 

Also, have you granted the account the Access this computer from the network right?

Share this post


Link to post

Where is "Computer Config"? I'm not seeing it.

 

I have tried setting permissions in both "Domain Controller Security Policy" and "Domain Security Policy"; neither have any effect on printonly's ability to interactively login at a desktop machine.

 

This one's got me puzzled...

Share this post


Link to post

Open Active Directory Users and computers. Right click on your domain and choose properties. Choose group edit tab and edit properties on your default domain policy. You will see computer configuration. This is what I was talking about earlier.

Share this post


Link to post

I've set "Deny Logon Locally" in the Group Policy Object Editor. Didn't make any difference; the printonly account was still able to interactively login at a desktop.

 

I also created an OU called "Restricted Users" and put the printonly account in there. I edited the policy for the new OU as well, but it's still not preventing printonly from logging onto desktops.

Share this post


Link to post

Try placing moving a computer account into your Restricted users group and reboot it.

 

This policy has to be applied to a computer for it to have effect.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×