prevent new user creation?


Recommended Posts

I've wondered about this for a long time.

In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

How can one prevent this??

I think the same would happen on a standalone box, too.

What I would like is a way such that no new users can be added to any XP box in any way except when explicitly created by an administrator on that local box (this would be after setup, when the requisite administrator and additional user are created for using the box).

Thank you, Tom

Link to comment
https://www.neowin.net/forum/topic/605812-prevent-new-user-creation/
Share on other sites

Im not sure I fully understand your question but I will have a go...

Firstly if you make all other user account types on the PC to "Limited Account" I dont think they can create new users.

Secondly have a look at your Group Policy Editor (Start, Run, "gpedit.msc"). It is a powerful tool to control such things. There is in fact a whole section called "User Rights Assignment" so I would have a look in there.

Hope that helps?

Jonny

PS I had a quick look in there and couldn't see exactly what you were after but I am sure I have seen it in there before, just a case of finding it...good luck!

post-47587-1197240838_thumb.jpg

Hi Jonny,

I'm aware of group policy, but I also don't know what policy settings would be involved, but User Rights Management might be where I could start...at least in the local group policy etc.

As to limited users vs. admins, I'm completely aware of this, but that's not what I am talking about.

I'll try one more time to explain the scenario I want to avoid.

You have an XP box in a domain which requires Ctrl-Alt-Del to log in.

Person, anyone, walks up to XP box, hits C-A-D, types in legit domain ID/password, boom!!

New user profile on the box, new desktop, person can proceed to do work, mess with files, etc.

Has nothing to do with type of user, has everything to do with XP allowed a domain logon of an ID/pass that should not be logging in locally to that XP box.

Same would happen if you logged in to the XP box as a domain admin.

What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass.

Clearer now??

Thanks, Tom

  tom12010 said:
In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

  Joel said:
In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

  tom12010 said:
I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

  Joel said:
Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

Security mainly. I understand that you're talking about the machine's properties in ADUC within the domain. However, I would like to have this work regardless of whether the XP box is in a domain or not, so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

However, I will try this in ADUC and see what happens.

Thank you, Tom

  tom12010 said:
so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

Don't make anyone an admin, then they can't create accounts. Simple.

  tom12010 said:
Security mainly.

In a domain, what part of what you want to do makes the computer more secure?

  • 1 year later...

Easy...

Create a group policy object, scope it down to an active directory group, fill up the group with machine accounts that you want to aim the policy at.

Remove authenticated users from the scope, purely put the AD group into the scope.

Attach group policy object to the OU the machines sit in, if you need to create a new sub OU and group the machines, do so.

(You might not need to remove authenticated users from the scope if you create an entirely new OU, just be careful what gets dropped into that OU)

In the policy, edit the computer settings and find:

Computer Configuration

(2008 only) Policies

Windows Settings

Security Settings

Local Policies

User rights assignment

Deny logon locally

Enter the groups / accounts within that element to stop a user with a domain account walking up to the box and being able to login locally.

Remember if you add "Domain users" it will affect anyone part of the domain users group, including administrators.

Be careful what you put in this element...

Wait for or force replication, update the policy on the client, result.

What you can not do, is set an option that will only allow login on detection of a local profile already existing.

I'd say this was more down to your delegation model as to whom can logon to the box locally and who can't.

Sort that out and you won't need to worry about whether a profile already exists.

If you want to do this on boxes that are not on a domain it's certainly do-able but far harder to administer, maintain and ultimately recover from if you ever get locked out. You can just use secpol.msc to open up the local security policy on the machine and configure it. If you want to maintain this across the board, set the options as part of the image for the PC then sysprep it before deployment (if you use automated builds). Otherwise there might be some sort of batch you can run with admin credentials to manipulate the registry and set this manually, I'm not overly sure.

Paul

Edited by D1m3b4g
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • That is a great option for compatibility, but in my opinion, that isn't the future. Xorg/Xserver is outdated with massive security holes built into the core design and cannot be easily fixed. The reason Wayland exists is because it was apparent that no one had the resources/will to revamp Xorg, so it was basically put into a support only mode until it was eventually abandoned. Yes, X11Libre has taken up the mantal, but I don't expect to see anything from them other than basic support.
    • I agree with your frustrations, but after nearly a decade of Wayland ideologs debating how software they don't write should work...its time to rip the band aid of X11 off and let Wayland sink or swim on its own. Its not like Linux can just fail at this point, so devs will flock together to find solutions. It is my opinion that a lot of these silly debates about things like window decorations take place because they can. People feel like they have time to have these academic conversations to "get it right." However, the conversation will change very quickly when the issue is "###### don't work." People will quickly find fixes once we are forced into that mode. I draw a parallel to the infancy of the internet going public in the late 1980s. It became quickly apparent that IPv4 really wasn't up to the task. The ivory tower response to the issues was basically "your doing it wrong, you shouldn't want that" while debating long-off solutions like IPv6. Then some rando cames along and invited NAT, the standards people saw it as an abomination and absolutely refused to include it. He didn't care, sold the product anyway under the name PIX, which he later sold to Cisco. It was not only a massive success, but it changed the entire concept of the internet, basically inventing the idea of public and privet addresses, which totally reformed the way the internet works. The standards guys were forced to adopt it once they realized it was impossible to put the cat back in the bag.
    • Download How to Engage Buyers and Drive Growth in the Age of AI (worth $22.95) for free by Steven Parker Claim your complimentary eBook worth $22.95 for free, before the offer ends on July 1. Develop stronger, more profitable relationships with your buyers in the digital era. Right now, how we buy and sell is evolving dramatically. People have fundamentally changed the way they do business. To put it simply: buyers no longer interact with sellers in the same way. To ensure a profitable future, sales leaders and teams need to embrace this transformation. In the face of globalisation, ecommerce, subscription services, and new digital tools for buyers and sellers alike, you need new strategies to generate successful sales and better bottom lines. Deep Selling shares the cutting-edge sales model you need to create a buyer-obsessed, high-performance culture. Your team urgently needs to embrace the growing suite of digital and AI technologies. But new technologies alone won’t solve all your selling problems. To really maximise your success, you need to evolve your selling frameworks and behaviours. You need to use these new tools in smart ways, embedding them into your sales execution models. In this book, you’ll discover how to: Audit the current sales techniques and cycles in your organisation Transform your sales execution models Achieve organisational buy-in through new performance measures and shared goals for success Use data to drive strategy, and revolutionise your selling with the latest digital and AI tools Build deeper buyer relationships that create more value and improve buyer outcomes With Deep Selling, you and your team will learn how to meet buyers on today’s real-world terms — and engage them more fully and successfully than ever before. This free to download offer expires July 1. How to get it Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last! Download How to Engage Buyers and Drive Growth in the Age of AI (worth $22.95) for free Offered by Wiley, view other free resources The below offers are also available for free in exchange for your (work) email: Excel Quick and Easy ($12 Value) FREE – Expires 6/24 The Inclusion Equation: Leveraging Data & AI ($21 Value) FREE – Expires 6/24 Microsoft 365 Copilot At Work ($60 Value) FREE – Expires 6/25 Natural Language Processing with Python ($39.99 Value) FREE – Expires 6/25 How to Engage Buyers and Drive Growth in the Age of AI ($22.95 Value) FREE – Expires 7/1 Using Artificial Intelligence to Save the World ($30.00 Value) FREE – Expires 7/1 Essential: How Distributed Teams, Generative AI, [...] ($18.00 Value) FREE – Expires 7/2 The Chief AI Officer's Handbook: Master AI leadership with strategies to innovate, overcome challenges, and drive business growth ($9.99 Value) FREE for a Limited Time – Expires 7/2 The Ultimate Linux Newbie Guide – Featured Free content Python Notes for Professionals – Featured Free content Learn Linux in 5 Days – Featured Free content Quick Reference Guide for Cybersecurity – Featured Free content We post these because we earn commission on each lead so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin The above deal not doing it for you, but still want to help? Check out the links below. Check out our partner software in the Neowin Store Buy a T-shirt at Neowin's Threadsquad Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: An account at Neowin Deals is required to participate in any deals powered by our affiliate, StackCommerce. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through the branded deals site.
    • Totally off topic, but... I have poked around with Ubuntu a few times, it works as expected, but I never was really into the ultra-minimalist UI. I much prefer Kubuntu! KDE feels far more at home to me than Gnome. Not just because it is more Windows-like, but because its approach of putting things on the screen to see, instead of hiding them and making you search feels so much more approachable.
    • Just tested: Disabled all the options in Advanced System Settings, except "smooth screen fonts", and the performance difference on my Ryzen 7 with 64gb memory is 100% noticeable.
  • Recent Achievements

    • Week One Done
      fredss earned a badge
      Week One Done
    • Dedicated
      fabioc earned a badge
      Dedicated
    • One Month Later
      GoForma earned a badge
      One Month Later
    • Week One Done
      GoForma earned a badge
      Week One Done
    • Week One Done
      ravenmanNE earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      656
    2. 2
      Michael Scrip
      226
    3. 3
      ATLien_0
      219
    4. 4
      +FloatingFatMan
      146
    5. 5
      Xenon
      137
  • Tell a friend

    Love Neowin? Tell a friend!