+ Post New Thread
Results 1 to 9 of 9
Wireless Networks Thread, How to prevent domain administrator login on workstations? in Technical; I'd like to prevent the domain administrator account from logging in to PCs. I'd like it to only be able ...
  1. #1
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14

    How to prevent domain administrator login on workstations?

    I'd like to prevent the domain administrator account from logging in to PCs. I'd like it to only be able to login to servers. Is that easy to do?

    (Let's not discuss why...)

  2. #2
    Mcshammer_dj's Avatar
    Join Date
    Feb 2007
    Location
    Portsmouth
    Posts
    944
    Thank Post
    35
    Thanked 166 Times in 133 Posts
    Rep Power
    94
    use the security settings to set which accounts are allowed to login locally

  3. #3

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    113
    Create a GPO denying the domain admin account interactive logon rights and apply it to any OUs which contain client machines. Make sure your servers and DCs are in another OU.

  4. Thanks to jamesb from:

    ronanian (4th August 2009)

  5. #4

    Join Date
    Jan 2009
    Location
    United Kingdom
    Posts
    229
    Thank Post
    22
    Thanked 9 Times in 9 Posts
    Rep Power
    13
    In AD, you can set the user to only allow logon to X workstations/servers. We have done this with one of our students, since he was being a pain, and we wanted to keep an eye on him. It was also made clear that teaching staff should not allow him to use a computer in any other than the specified room.

    In AD, select the user account you wish to use, then right click, properties, Account tab, and logon to button. You can then specify which machines/servers the account is able to logon to. We have a server account esp for this.

    HTH
    Mark

  6. Thanks to _techie_ from:

    ronanian (4th August 2009)

  7. #5

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    (Disable the account )

  8. #6

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    If this is the "administrator" domain account I suspect there's no clean way of blocking it (and even if there is, the administrator can just reverse the changes - they're got god rights in the domain!)

    If you're running a login script then you could easily put a check to see if the user is domain admin and, if so, log them out.

  9. Thanks to srochford from:

    ronanian (4th August 2009)

  10. #7
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    Thanks everyone, those are all good ideas. I think I can work with it now.

  11. #8

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    113
    Quote Originally Posted by srochford View Post
    If this is the "administrator" domain account I suspect there's no clean way of blocking it (and even if there is, the administrator can just reverse the changes - they're got god rights in the domain!)

    If you're running a login script then you could easily put a check to see if the user is domain admin and, if so, log them out.
    Oh trust me, you can block it from logging on. As I discovered once while having a play in AD (VM, not live).

    Removed interactive logon for all admin users, and had to restore the VM from snapshot.

  12. #9

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    Quote Originally Posted by jamesb View Post
    Oh trust me, you can block it from logging on. As I discovered once while having a play in AD (VM, not live).

    Removed interactive logon for all admin users, and had to restore the VM from snapshot.
    Grand :-)

    I would always leave at least one machine logged on when you're doing things like this as a "just in case"

    If you were able to log on to a machine in the virtual domain (even as a non-admin) I think you might have been able to do a "runas" to start an elevated command prompt (I think blocking interactive login only blocks pressing CTRL ALT Del to login, not things like web access or process elevation).

    You could then run up group policy editor and make the changes or use regedit to blank out the policy settings on that machine. Provided you logged off/on quickly you ought to be able to get in as an admin before policy is re-enforced.

    One last point for the OP - if you absolutely must stop admins logging on to workstations then it's likely to be hard. If you just want to remind them that it's a really bad idea then just popping up a message and logging them off would probably do the trick!

SHARE:
+ Post New Thread

Similar Threads

  1. Prevent Simultaneous Login
    By ctbjs in forum How do you do....it?
    Replies: 2
    Last Post: 22nd January 2008, 08:20 AM
  2. VPN & Domain Login
    By netadmin in forum Windows Vista
    Replies: 4
    Last Post: 10th October 2007, 12:30 AM
  3. Change XP Domain Login Box
    By Nij.UK in forum Windows
    Replies: 2
    Last Post: 27th September 2006, 10:06 AM
  4. Workstations unable to connect to domain
    By richard in forum Wireless Networks
    Replies: 8
    Last Post: 8th September 2006, 08:54 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •