prevent new user creation?


Recommended Posts

I've wondered about this for a long time.

In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

How can one prevent this??

I think the same would happen on a standalone box, too.

What I would like is a way such that no new users can be added to any XP box in any way except when explicitly created by an administrator on that local box (this would be after setup, when the requisite administrator and additional user are created for using the box).

Thank you, Tom

Link to comment
https://www.neowin.net/forum/topic/605812-prevent-new-user-creation/
Share on other sites

Im not sure I fully understand your question but I will have a go...

Firstly if you make all other user account types on the PC to "Limited Account" I dont think they can create new users.

Secondly have a look at your Group Policy Editor (Start, Run, "gpedit.msc"). It is a powerful tool to control such things. There is in fact a whole section called "User Rights Assignment" so I would have a look in there.

Hope that helps?

Jonny

PS I had a quick look in there and couldn't see exactly what you were after but I am sure I have seen it in there before, just a case of finding it...good luck!

post-47587-1197240838_thumb.jpg

Hi Jonny,

I'm aware of group policy, but I also don't know what policy settings would be involved, but User Rights Management might be where I could start...at least in the local group policy etc.

As to limited users vs. admins, I'm completely aware of this, but that's not what I am talking about.

I'll try one more time to explain the scenario I want to avoid.

You have an XP box in a domain which requires Ctrl-Alt-Del to log in.

Person, anyone, walks up to XP box, hits C-A-D, types in legit domain ID/password, boom!!

New user profile on the box, new desktop, person can proceed to do work, mess with files, etc.

Has nothing to do with type of user, has everything to do with XP allowed a domain logon of an ID/pass that should not be logging in locally to that XP box.

Same would happen if you logged in to the XP box as a domain admin.

What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass.

Clearer now??

Thanks, Tom

  tom12010 said:
In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

  Joel said:
In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

  tom12010 said:
I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

  Joel said:
Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

Security mainly. I understand that you're talking about the machine's properties in ADUC within the domain. However, I would like to have this work regardless of whether the XP box is in a domain or not, so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

However, I will try this in ADUC and see what happens.

Thank you, Tom

  tom12010 said:
so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

Don't make anyone an admin, then they can't create accounts. Simple.

  tom12010 said:
Security mainly.

In a domain, what part of what you want to do makes the computer more secure?

  • 1 year later...

Easy...

Create a group policy object, scope it down to an active directory group, fill up the group with machine accounts that you want to aim the policy at.

Remove authenticated users from the scope, purely put the AD group into the scope.

Attach group policy object to the OU the machines sit in, if you need to create a new sub OU and group the machines, do so.

(You might not need to remove authenticated users from the scope if you create an entirely new OU, just be careful what gets dropped into that OU)

In the policy, edit the computer settings and find:

Computer Configuration

(2008 only) Policies

Windows Settings

Security Settings

Local Policies

User rights assignment

Deny logon locally

Enter the groups / accounts within that element to stop a user with a domain account walking up to the box and being able to login locally.

Remember if you add "Domain users" it will affect anyone part of the domain users group, including administrators.

Be careful what you put in this element...

Wait for or force replication, update the policy on the client, result.

What you can not do, is set an option that will only allow login on detection of a local profile already existing.

I'd say this was more down to your delegation model as to whom can logon to the box locally and who can't.

Sort that out and you won't need to worry about whether a profile already exists.

If you want to do this on boxes that are not on a domain it's certainly do-able but far harder to administer, maintain and ultimately recover from if you ever get locked out. You can just use secpol.msc to open up the local security policy on the machine and configure it. If you want to maintain this across the board, set the options as part of the image for the PC then sysprep it before deployment (if you use automated builds). Otherwise there might be some sort of batch you can run with admin credentials to manipulate the registry and set this manually, I'm not overly sure.

Paul

Edited by D1m3b4g
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Chrome. Because it just works Chrome. Because it just works  
    • I'm curious as to how Apple will marketing it's (lacking) AI-thingy compared to other players in the market. I'm not pro-AI on OS'es, but having practically nothing looks kinda 'sad' to me also.
    • Anthropic cuts off Windsurf's Claude 3.x access: What it means for users by Paul Hill The popular AI-native coding tool, Windsurf, has announced that Anthropic has cut off first-party capacity to its Claude 3 series of models, including Claude 3.5 Sonnet, 3.7 Sonnet, and 3.7 Sonnet Thinking. Until Windsurf can find some capacity to support the demand for these models, it has had to make some short-term changes. One action Windsurf is taking to ease capacity issues is offering a promo rate for Gemini 2.5 Pro of 0.75x credits instead of the usual 1x. Gemini 2.5 Pro is a strong alternative to Claude models for coding, so it could help ease the capacity burden. Additionally, Windsurf has totally removed direct access to the affected Claude models for Free tier users and those trialing the Pro plan. However, you can add your own Claude API key to continue using the model in Windsurf. Claude Sonnet 4 is also available via your own key. Who it affects, and how As a result of the change, users who rely on the Claude 3 series models within Windsurf may experience slower response times or temporary unavailability. As an alternative, users could use the free SWE-1 models or the heavily discounted promo of GPT-4.1. There are other models available for paying customers, too. Users on the Free plan or enjoying a trial of Pro are the most affected by this change is it completely removes first-party capacity, forcing them to create a key and add it manually in Windsurf. This is a big barrier to entry, but some people might be willing to do this as Claude is widely seen as one of the best AI models for coding. The move could be considered a fairly big blow to Windsurf, which was recently in acquisition talks with OpenAI. Given Claude’s reputation as a strong AI for coding, developers could be less likely to use Windsurf now that it doesn’t come with Claude's set and is ready to go on the Free plan. Why it's happening The change came with less than a week’s notice for Windsurf to adapt to the change. While the press release doesn’t disclose the reasons for Anthropic's decision, there is a strong likelihood that it has something to do with OpenAI’s potential acquisition of the IDE. Anthropic and OpenAI were the original leaders competing in the AI race, and Anthropic won’t want to give OpenAI any help if it can help it. The chagrined Windsurf said that it was concerned about Anthropic’s decision and said the move would harm the entire industry, not just Windsurf. It’s unclear what it means by this, as it didn’t elucidate on this thought. Reactions As mentioned earlier, if you have been using Claude models and now feel abandoned by Anthropic and Windsurf, following the latter’s recommendation to use Gemini Pro 2.5 could be a sensible idea. While first-party capacity has been removed, Windsurf is still actively working with other inference providers to restore capacity and full access to the models. Windsurf, while disappointed with Anthropic's move, said the magic of its IDE doesn’t come from the models themselves. Instead, it’s all about the software’s deep contextual understanding, intentional user experience, and unique features like Previews, Deploys, and Reviews. Despite this setback, it will keep trying to deliver “magic.” Given everything, users will now need to decide whether Gemini 2.5 Pro meets their needs or if they need to hunt for a Claude 3 series API key to restore Claude functionality in Windsurf. If you use Windsurf, do not overlook its own model, SWE-1, as it’s also very capable and free to use. This decision by Anthropic highlights the main issue with relying on third parties to provide AI tools that we increasingly rely upon. For businesses like Windsurf, it means they will diversify the models they offer or, as Windsurf has already done, create their own LLMs that they control. For end users, being able to download a language model and run it offline is increasingly becoming easier and ensures users don’t lose access to their favorite models. Windsurf is not the only AI IDE on the scene, and this move could cause problems for it if other players continue to offer Claude models, at least in the short term, while it searches for more capacity. It will also reduce trust between model creators like Anthropic and the companies that rely on the models.
    • Tesla instructor reportedly said staff leave with a 'negative taste in their mouth' by Hamid Ganji Tesla has been making the headlines over the past few months due to Elon Musk's controversy in the Department of Government Efficiency, aka DOGE. People have been marching to the streets, boycotting Tesla, and even setting their already-bought Tesla cars on fire. Tesla temporarily shut down its factory in Austin for the week of Memorial Day, and employees could either take paid time off or attend a series of training sessions. Business Insider now claims to have obtained a recording of the sessions that reveals some interesting details about the Tesla culture and how its employees feel about the company. The Tesla instructor reportedly asked employees to respond if they ever felt "I can't work under these conditions" and were uneasy about the company's constant change. "I know I have," the instructor said. "A lot of people leave this company, and they have kind of a negative taste in their mouth," the Tesla instructor added. "They think: 'Man, it was terrible. It was bad. I got burnt out. I feel like I didn't get anything done, nobody listened to me.'" Hundreds of Tesla employees allegedly attended the meetings, where they were asked to take more responsibility for improving the company's culture. "Leadership has kind of another level of responsibility for trying to guide and direct that culture," the instructor told Tesla staff. "But at the end of the day, it's us as the people on the ground that are the reflection of the culture." Tesla's factory in Austin produces Cybertruck and Model Y. The staff said shutting down the factory for the sake of Memorial Day has been unusual for the company. Elon Musk recently announced that he would leave his position at the White House and added that he'll remain Tesla CEO for another five years. In the meantime, the latest data shows Tesla sales in Europe have dropped 49 percent, and the company's profit in Q1 2025 declined by 71 percent.
  • Recent Achievements

    • Dedicated
      jbatch earned a badge
      Dedicated
    • Week One Done
      Leonard grant earned a badge
      Week One Done
    • One Month Later
      portacnb1 earned a badge
      One Month Later
    • Week One Done
      portacnb1 earned a badge
      Week One Done
    • First Post
      m10d earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      271
    2. 2
      snowy owl
      158
    3. 3
      +FloatingFatMan
      146
    4. 4
      ATLien_0
      141
    5. 5
      Xenon
      131
  • Tell a friend

    Love Neowin? Tell a friend!