prevent new user creation?

[tom12010]

I've wondered about this for a long time.

In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

How can one prevent this??

I think the same would happen on a standalone box, too.

What I would like is a way such that no new users can be added to any XP box in any way except when explicitly created by an administrator on that local box (this would be after setup, when the requisite administrator and additional user are created for using the box).

Thank you, Tom

[Jonny Wright]

Im not sure I fully understand your question but I will have a go...

Firstly if you make all other user account types on the PC to "Limited Account" I dont think they can create new users.

Secondly have a look at your Group Policy Editor (Start, Run, "gpedit.msc"). It is a powerful tool to control such things. There is in fact a whole section called "User Rights Assignment" so I would have a look in there.

Hope that helps?

Jonny

PS I had a quick look in there and couldn't see exactly what you were after but I am sure I have seen it in there before, just a case of finding it...good luck!

[tom12010]

Hi Jonny,

I'm aware of group policy, but I also don't know what policy settings would be involved, but User Rights Management might be where I could start...at least in the local group policy etc.

As to limited users vs. admins, I'm completely aware of this, but that's not what I am talking about.

I'll try one more time to explain the scenario I want to avoid.

You have an XP box in a domain which requires Ctrl-Alt-Del to log in.

Person, anyone, walks up to XP box, hits C-A-D, types in legit domain ID/password, boom!!

New user profile on the box, new desktop, person can proceed to do work, mess with files, etc.

Has nothing to do with type of user, has everything to do with XP allowed a domain logon of an ID/pass that should not be logging in locally to that XP box.

Same would happen if you logged in to the XP box as a domain admin.

What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass.

Clearer now??

Thanks, Tom

[Joel]

  tom12010 said:

In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

[tom12010]

  Joel said:

In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

[Joel]

  tom12010 said:

I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

[tom12010]

  Joel said:

Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

Security mainly. I understand that you're talking about the machine's properties in ADUC within the domain. However, I would like to have this work regardless of whether the XP box is in a domain or not, so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

However, I will try this in ADUC and see what happens.

Thank you, Tom

[Joel]

  tom12010 said:

so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

Don't make anyone an admin, then they can't create accounts. Simple.

  tom12010 said:

Security mainly.

In a domain, what part of what you want to do makes the computer more secure?

[D1m3b4g]

Easy...

Create a group policy object, scope it down to an active directory group, fill up the group with machine accounts that you want to aim the policy at.

Remove authenticated users from the scope, purely put the AD group into the scope.

Attach group policy object to the OU the machines sit in, if you need to create a new sub OU and group the machines, do so.

(You might not need to remove authenticated users from the scope if you create an entirely new OU, just be careful what gets dropped into that OU)

In the policy, edit the computer settings and find:

Computer Configuration

(2008 only) Policies

Windows Settings

Security Settings

Local Policies

User rights assignment

Deny logon locally

Enter the groups / accounts within that element to stop a user with a domain account walking up to the box and being able to login locally.

Remember if you add "Domain users" it will affect anyone part of the domain users group, including administrators.

Be careful what you put in this element...

Wait for or force replication, update the policy on the client, result.

What you can not do, is set an option that will only allow login on detection of a local profile already existing.

I'd say this was more down to your delegation model as to whom can logon to the box locally and who can't.

Sort that out and you won't need to worry about whether a profile already exists.

If you want to do this on boxes that are not on a domain it's certainly do-able but far harder to administer, maintain and ultimately recover from if you ever get locked out. You can just use secpol.msc to open up the local security policy on the machine and configure it. If you want to maintain this across the board, set the options as part of the image for the PC then sysprep it before deployment (if you use automated builds). Otherwise there might be some sort of batch you can run with admin credentials to manipulate the registry and set this manually, I'm not overly sure.

Paul

Edited October 14, 2009 by D1m3b4g