Friday, May 17, 2013

Prevent domain users from logging into computer

We have a number of laptops that are in a common area (ie conference rooms, shared amongst staff) as well as out in the field where they use them more as a "thin client" to connect back to a Citrix environment.  On these laptops we don't want them logging in as their domain account and having the ability to copy sensitive files to the local disk.  We also don't want a specific domain user logging into a laptop then walking off without logging off and thus effectively preventing the next user from accessing the computer (unless they hard power the system, which isn't what we want).

In the past with Windows XP I was able to quickly remove this access for domain users while not effecting domain admins by removing the following groups from the local "users" group via a script during setup.
Net localgroup users "domainname\Domain Users" /delete
Net localgroup users "NT Authority\Interactive" /delete
Net localgroup users "NT Authority\Authenticated Users" /delete

If you attempt this in Windows Vista and above it results in slow logon, logoff, blank desktop, etc.  IE, it doesn't work.

The easy way around this (and the proper fix anyways) is to simply limit the "allow logon to this computer" setting in GPO.

If you open gpedit.msc on the local machine you can see the normal settings for this key:

So we can see that we can easily remove the "users" group from the list.  This will prevent anyone that falls in the "users group" from logging in. 

Now you need to add any of the specific usernames that you do want to allow to login.
This for example could be a specific local account or specific domain user accounts.

I highly recommend that rather than doing this with the local GPO you do it in the domain GPO with an OU specific GPO that contains the computers you want it to effect.  Ensure you don't attach the GPO at the wrong OU or you'll cause havoc across your environment.

Note: depending on your environment setup this could have unexpected results.  Specifically if you have certain users accounts that are non-admin that have to access the system for certain tasks (backups, services, scanning, etc).

No comments:

Post a Comment