prevent new user creation?


Recommended Posts

I've wondered about this for a long time.

In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

How can one prevent this??

I think the same would happen on a standalone box, too.

What I would like is a way such that no new users can be added to any XP box in any way except when explicitly created by an administrator on that local box (this would be after setup, when the requisite administrator and additional user are created for using the box).

Thank you, Tom

Link to comment
https://www.neowin.net/forum/topic/605812-prevent-new-user-creation/
Share on other sites

Im not sure I fully understand your question but I will have a go...

Firstly if you make all other user account types on the PC to "Limited Account" I dont think they can create new users.

Secondly have a look at your Group Policy Editor (Start, Run, "gpedit.msc"). It is a powerful tool to control such things. There is in fact a whole section called "User Rights Assignment" so I would have a look in there.

Hope that helps?

Jonny

PS I had a quick look in there and couldn't see exactly what you were after but I am sure I have seen it in there before, just a case of finding it...good luck!

post-47587-1197240838_thumb.jpg

Hi Jonny,

I'm aware of group policy, but I also don't know what policy settings would be involved, but User Rights Management might be where I could start...at least in the local group policy etc.

As to limited users vs. admins, I'm completely aware of this, but that's not what I am talking about.

I'll try one more time to explain the scenario I want to avoid.

You have an XP box in a domain which requires Ctrl-Alt-Del to log in.

Person, anyone, walks up to XP box, hits C-A-D, types in legit domain ID/password, boom!!

New user profile on the box, new desktop, person can proceed to do work, mess with files, etc.

Has nothing to do with type of user, has everything to do with XP allowed a domain logon of an ID/pass that should not be logging in locally to that XP box.

Same would happen if you logged in to the XP box as a domain admin.

What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass.

Clearer now??

Thanks, Tom

  tom12010 said:
In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

  Joel said:
In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

  tom12010 said:
I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

  Joel said:
Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

Security mainly. I understand that you're talking about the machine's properties in ADUC within the domain. However, I would like to have this work regardless of whether the XP box is in a domain or not, so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

However, I will try this in ADUC and see what happens.

Thank you, Tom

  tom12010 said:
so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

Don't make anyone an admin, then they can't create accounts. Simple.

  tom12010 said:
Security mainly.

In a domain, what part of what you want to do makes the computer more secure?

  • 1 year later...

Easy...

Create a group policy object, scope it down to an active directory group, fill up the group with machine accounts that you want to aim the policy at.

Remove authenticated users from the scope, purely put the AD group into the scope.

Attach group policy object to the OU the machines sit in, if you need to create a new sub OU and group the machines, do so.

(You might not need to remove authenticated users from the scope if you create an entirely new OU, just be careful what gets dropped into that OU)

In the policy, edit the computer settings and find:

Computer Configuration

(2008 only) Policies

Windows Settings

Security Settings

Local Policies

User rights assignment

Deny logon locally

Enter the groups / accounts within that element to stop a user with a domain account walking up to the box and being able to login locally.

Remember if you add "Domain users" it will affect anyone part of the domain users group, including administrators.

Be careful what you put in this element...

Wait for or force replication, update the policy on the client, result.

What you can not do, is set an option that will only allow login on detection of a local profile already existing.

I'd say this was more down to your delegation model as to whom can logon to the box locally and who can't.

Sort that out and you won't need to worry about whether a profile already exists.

If you want to do this on boxes that are not on a domain it's certainly do-able but far harder to administer, maintain and ultimately recover from if you ever get locked out. You can just use secpol.msc to open up the local security policy on the machine and configure it. If you want to maintain this across the board, set the options as part of the image for the PC then sysprep it before deployment (if you use automated builds). Otherwise there might be some sort of batch you can run with admin credentials to manipulate the registry and set this manually, I'm not overly sure.

Paul

Edited by D1m3b4g
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I see the Winblows 11 BETA testing continues. This is just Windows 10 all over again. Oh well, everything is still smooth sailing over here on Windows 10 21H2 LTSC. You unpaid sheep BETA testers be sure to let us know when you get done BETA testing Winblows 11 for the rest of us. 🤣
    • What do you expect? Windows 11 is still in BETA. This is Windows 10 all over again. M$ doesn't hire people to do BETA testing anymore. They just let all the dumb sheep with FOMO do all the BETA testing for them. It's the same dumb sheep who use self-checkout at the store and do someone else's job for FREE! All while the worker who's getting paid just stands there and watches them. 🤣 🤡
    • Pet peeve: Microsoft using scaling options to get around the fact they removed font size settings, as if that's somehow acceptable to do. Thankfully third party apps still can adjust font sizes just fine, even though it often randomly resets on OS updates. And the funny thing is that not only are the scaling options horrible crutches, but they only work in some applications. And, ironically enough, even some apps from Microsoft themselves have hardcoded tiny fonts in certain dialogs in them. Example - certain parts of MS Office apps UI.
    • Unofficial script does the most useful official Windows 11/10 repairs you want automatically by Sayan Sen IT admins and system admins, and even home users have to run various Windows diagnostic runs from time to time in order to iron out or work around system problems. Last year, Microsoft published a guidance piece about various such native Windows apps, tools and utilities they include the like of Task Manager, Registry Editor, and more. Aside from them, Windows also comes with SFC (System File Checker) and DISM (Deployment Image Servicing and Management) to scan and fix corrupt and missing system files. Besides those, various other ways to help and diagnose network issues related to DNS (Domain Name System), among others, also exists. In order to save time running these, a Reddit user has created a new tool that automates all of these into a single package. The author writes that the Batch script (.BAT file) they have developed is "basically a one-stop script that can help clean up your system, run built-in diagnostics, fix common network issues, and generate system reports." The script is based on native Windows tools like netsh, ipconfig, systeminfo, among others, and the idea behind this is essentially to save time. The tool can be of help with Windows Update repairs, among others, something we all know is pretty common, and even Microsoft's own support articles may not prove to be helpful. Here is everything the utility can do for you: Run SFC, DISM, CHKDSK from a single menu Restart network adapters with auto-detection Flush or set DNS (Google, Cloudflare, or custom) Windows Update repair (resets services + cache) Generate system reports (saved as .txt files on Desktop) Show installed drivers Clean up temp files Registry backup and restore (manual) The latest version of the utility is now available for download on GitHub. The new version fixes issues related to admin privileges. As the script requires it to be run as an admin, it now restart itself to work in admin mode even if a user forgot to run it as an administrator. To download it, head over to its GitHub page here. The utility is named Windows Maintenance Tool. As always, though, make sure to back up your PC as this is an unofficial third-party app, and it's better if you test it first in a VM. Source: Lil_Batti (Reddit)
    • Come the hell on, do we need clickbait titles? "Overwatch 2" - 11 characters "a popular multiplayer hero shooter" - 34 characters What's the purpose here - delivering news or titles for clicks? I think we all know the answer. You're straying into "Number 7 on this list will SHOCK you" territory and while it may work on some crappy sites, this is why they are crappy sites. Just tell the story! Go back and look at popular articles that made Neowin what it was. Did they have headlines of "New OS from major technology conglomerate has astonishing new feature" or is it likely to tell the story succinctly and then elaborate within the content?
  • Recent Achievements

    • One Month Later
      CoolRaoul earned a badge
      One Month Later
    • First Post
      Kurotama earned a badge
      First Post
    • Collaborator
      Carltonbar earned a badge
      Collaborator
    • Explorer
      MusicLover2112 went up a rank
      Explorer
    • Dedicated
      MadMung0 earned a badge
      Dedicated
  • Popular Contributors

    1. 1
      +primortal
      508
    2. 2
      ATLien_0
      270
    3. 3
      +FloatingFatMan
      245
    4. 4
      +Edouard
      201
    5. 5
      snowy owl
      168
  • Tell a friend

    Love Neowin? Tell a friend!