Remotely manage Local Security Settings?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

StumpedTechy

Thread Starter
Joined
Jul 7, 2004
Messages
7,235
On all XP machines there is a Local Security Settings plugin that allows you to Deny users logins -

Admininstrative Tools > Local security settings > Local policies > User Rights Assignment > Deny log on locally

Is there any way to modify this setting on a remote computer short of having to Remote Desktop to it and bring it down? Nowhere in the box is any option to connect to a remote computer.

I guess this could be put in the XP section.
 

Couriant

James
Trusted Advisor
Spam Fighter
Joined
Mar 26, 2002
Messages
36,225
As a domain admin, you can use mmc to set up the Local Group Policy on any machine.

(I think you can :D I will need to check my notes but I'm sure you can)
 

StumpedTechy

Thread Starter
Joined
Jul 7, 2004
Messages
7,235
Recheck your notes I can't see the local security settings anywhere on the domain policies. When I connect to the PC remotely using the mmc this only shows a limited number based on the domain information (but does not connect to the local).

I found a MS KB article - http://support.microsoft.com/kb/Q274478

But this is really talking about 2000 and NT and were on XP and 2003. I did try the middle sction about "Take the entries found in the Local Group Policy Object which are stored in the %Systemroot%\System32\GroupPolicy folder, and then copy them to other clients where you also want to apply these Local Group Policy settings." Which sounded like it should work... but didn't apply on the copied to PC.
 

Couriant

James
Trusted Advisor
Spam Fighter
Joined
Mar 26, 2002
Messages
36,225
Go to MMC > File > add/remove snap in > Add > select Group Policy Object Editor > click Browse > select Computers Tab, add the computer name > OK the rest.

Pictures are end result. But having said that, I could not find for the life of me the Deny Log On Locally. I thought it was in GP.
 

Attachments

Couriant

James
Trusted Advisor
Spam Fighter
Joined
Mar 26, 2002
Messages
36,225
I think that's not the right thing... opps :eek:
 

Couriant

James
Trusted Advisor
Spam Fighter
Joined
Mar 26, 2002
Messages
36,225
Hey ST:

I spoke to my Network Admin teacher and he suggested something which I'm sure you have seen, but if you are wanting a user to log in only to one machine, then under the properties of the user account > Account tab > Log On To button and then you can specify the computer/s that the user can use. Is that what you are looking for?
 

StumpedTechy

Thread Starter
Joined
Jul 7, 2004
Messages
7,235
Yup... the problem is we want most users to be able to move around so this log onto is too restrictive. The path/instructions you provided does not show the Deny log onto. Actually I think that is just a listing of the GPO not Local machine policy of what is set for the PC in question.
 

Couriant

James
Trusted Advisor
Spam Fighter
Joined
Mar 26, 2002
Messages
36,225
You are correct, I was thinking of the GPO and not Local Security. My teacher said probably the only other way is by a script. (again!) :D

I think that the Log On To is the better option. Some of the users can't have everything you know ;) :D
 

StumpedTechy

Thread Starter
Joined
Jul 7, 2004
Messages
7,235
LOL thats many users to have to lock down though. This way would be a change to only 24 PC's effectively stopping the exact thing we want... I just can't find the solution. You know anything about making Policy templates? maybe I can export something then make it import on login?
 

Couriant

James
Trusted Advisor
Spam Fighter
Joined
Mar 26, 2002
Messages
36,225
There is a Security Templates snap in. I was able to right click on the location and it says new template. But the only thing is that how are you going to get it to activate without RM or getting to the machine.
 

StumpedTechy

Thread Starter
Joined
Jul 7, 2004
Messages
7,235
This isn't looking promising -

"Unfortunately, local Group Policy by definition is local to each Windows 2000 computer and as such there is no Microsoft central configuration tool to help you define a standard LGPO you want to deploy onto each machine.You can’t, as you might think, simply copy a configured computer’s GPO folder onto another computer. However, you can export and import the security policy within the local GPO together with additional security settings such as registry settings, service configurations, and ACLs.This is done using Microsoft’s Security Configuration and Analysis, which is covered next."

I have been d0ing some looking around ans local GPO manipulation seems a bit complex and conveluted without being straightforward -http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch05.mspx

I am gonna have to go over this with a fine tooth comb but it sure doesn't seem easy.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top