prevent new user creation?


Recommended Posts

I've wondered about this for a long time.

In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

How can one prevent this??

I think the same would happen on a standalone box, too.

What I would like is a way such that no new users can be added to any XP box in any way except when explicitly created by an administrator on that local box (this would be after setup, when the requisite administrator and additional user are created for using the box).

Thank you, Tom

Link to comment
https://www.neowin.net/forum/topic/605812-prevent-new-user-creation/
Share on other sites

Im not sure I fully understand your question but I will have a go...

Firstly if you make all other user account types on the PC to "Limited Account" I dont think they can create new users.

Secondly have a look at your Group Policy Editor (Start, Run, "gpedit.msc"). It is a powerful tool to control such things. There is in fact a whole section called "User Rights Assignment" so I would have a look in there.

Hope that helps?

Jonny

PS I had a quick look in there and couldn't see exactly what you were after but I am sure I have seen it in there before, just a case of finding it...good luck!

post-47587-1197240838_thumb.jpg

Hi Jonny,

I'm aware of group policy, but I also don't know what policy settings would be involved, but User Rights Management might be where I could start...at least in the local group policy etc.

As to limited users vs. admins, I'm completely aware of this, but that's not what I am talking about.

I'll try one more time to explain the scenario I want to avoid.

You have an XP box in a domain which requires Ctrl-Alt-Del to log in.

Person, anyone, walks up to XP box, hits C-A-D, types in legit domain ID/password, boom!!

New user profile on the box, new desktop, person can proceed to do work, mess with files, etc.

Has nothing to do with type of user, has everything to do with XP allowed a domain logon of an ID/pass that should not be logging in locally to that XP box.

Same would happen if you logged in to the XP box as a domain admin.

What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass.

Clearer now??

Thanks, Tom

  tom12010 said:
In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

  Joel said:
In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

  tom12010 said:
I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

  Joel said:
Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

Security mainly. I understand that you're talking about the machine's properties in ADUC within the domain. However, I would like to have this work regardless of whether the XP box is in a domain or not, so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

However, I will try this in ADUC and see what happens.

Thank you, Tom

  tom12010 said:
so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

Don't make anyone an admin, then they can't create accounts. Simple.

  tom12010 said:
Security mainly.

In a domain, what part of what you want to do makes the computer more secure?

  • 1 year later...

Easy...

Create a group policy object, scope it down to an active directory group, fill up the group with machine accounts that you want to aim the policy at.

Remove authenticated users from the scope, purely put the AD group into the scope.

Attach group policy object to the OU the machines sit in, if you need to create a new sub OU and group the machines, do so.

(You might not need to remove authenticated users from the scope if you create an entirely new OU, just be careful what gets dropped into that OU)

In the policy, edit the computer settings and find:

Computer Configuration

(2008 only) Policies

Windows Settings

Security Settings

Local Policies

User rights assignment

Deny logon locally

Enter the groups / accounts within that element to stop a user with a domain account walking up to the box and being able to login locally.

Remember if you add "Domain users" it will affect anyone part of the domain users group, including administrators.

Be careful what you put in this element...

Wait for or force replication, update the policy on the client, result.

What you can not do, is set an option that will only allow login on detection of a local profile already existing.

I'd say this was more down to your delegation model as to whom can logon to the box locally and who can't.

Sort that out and you won't need to worry about whether a profile already exists.

If you want to do this on boxes that are not on a domain it's certainly do-able but far harder to administer, maintain and ultimately recover from if you ever get locked out. You can just use secpol.msc to open up the local security policy on the machine and configure it. If you want to maintain this across the board, set the options as part of the image for the PC then sysprep it before deployment (if you use automated builds). Otherwise there might be some sort of batch you can run with admin credentials to manipulate the registry and set this manually, I'm not overly sure.

Paul

Edited by D1m3b4g
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Reddit takes legal action, says Anthropic trained Claude on Reddit posts without permission by David Uzondu Reddit has filed a complaint against Anthropic, alleging the AI company straight-up stole its content to train AI models, including the Claude chatbot, without paying a dime. The lawsuit, lodged on June 4, 2025, in San Francisco, accuses Anthropic of repeatedly violating Reddit's User Agreement, which explicitly prohibits unauthorized commercial exploitation and automated scraping of its platform. The data on Reddit seems to be very valuable, seeing as the platform is already making bank licensing its content to other big AI players like Google and OpenAI, as mentioned in its complaint. These deals are reportedly worth tens of millions annually, so it's understandable why Reddit would be ###### if Anthropic was just taking the goods for free. Reddit has been quite clear that while its platform is open for community, it has rules, and commercial outfits cannot just waltz in and use user-generated content to build billion-dollar enterprises without permission or compensation. According to Reddit, Anthropic has been scraping its content since at least December 2021, ignoring technical measures like robots.txt designed to prevent such automated access. Reddit claims that in July 2024, Anthropic falsely stated it had stopped its bots from accessing Reddit, when audit logs allegedly showed Anthropic's bots hit Reddit's servers over a hundred thousand more times in the following months. The complaint on page 5 even includes a screenshot of Reddit's lawyers chatting with Claude, where the AI "confirms" it was trained on Reddit data. Now, we don't know how true this is, given the fact that LLMs hallucinate a lot. Reddit's legal filing paints Anthropic as a company with "two faces": one that publicly preaches about ethical AI and respecting boundaries, and another that privately ignores rules to line its pockets. Reddit is not holding back in what it is asking the court to do to Anthropic. The company demands significant monetary compensation, aiming to recover any profits Anthropic made from using Reddit's data, get repaid for its own financial losses, and it is also seeking punitive damages, looking to punish Anthropic for what Reddit describes as willful and malicious conduct. In addition to that, the company is also seeking an injunction designed to permanently stop Anthropic from using any Reddit data. This order would also compel Anthropic to delete all Reddit content from its systems and pull any AI technology, like its Claude chatbot, from commercial use if it was developed using this disputed data. On top of all that, Reddit wants Anthropic to cover all its legal expenses, including attorneys' fees and court costs.
    • I'm just thinking out loud for a second...could it be the cookie prompt that kicks up the adblock message? The reason I ask is that on Firefox (ad-block enabled but not for Neowin) I don't get the cookie consent option. But if I open Chrome (ad-block disabled) and go to the Neowin I get the cookie banner and then it's all fine. Some form of conflict of interest between the banners? It's probably nothing, but that's what I have just noticed.
    • SoundSwitch 6.14.1 by Razvan Serea SoundSwitch is a Windows app that makes switching your sound devices super easy. Normally, changing speakers or microphones means clicking through annoying menus. With SoundSwitch, you just press a shortcut key (like Ctrl + Alt + F1) — and it switches to the device you want. You can set different keys for speakers, headphones, microphones, or even groups of devices. It also lets you mute your mic with a hotkey and shows a clear banner so you know it's muted. It runs in the background, shows up in your taskbar, and starts with Windows if you want. It’s perfect if you use multiple audio devices and get tired of clicking around every time you want to change one. SoundSwitch features: Customizable Hotkeys: Assign specific key combinations to switch between audio devices quickly. ​ Playback and Recording Device Switching: Toggle between selected playback and recording devices without navigating through system menus. ​ Microphone Mute Toggle: Use hotkeys to mute or unmute the default microphone. ​ Persistent Mute Notification: Displays a compact banner indicating the microphone's mute state, which remains visible until the microphone is unmuted. ​ Profile Management: Create profiles to switch between specific combinations of playback and recording devices using designated hotkeys. ​ Command Line Interface (CLI): Control SoundSwitch through command-line commands for device switching, microphone mute control, and profile management. ​ Auto-Start with Windows: Option to launch SoundSwitch automatically upon system startup. ​ Multi-Language Support: Includes translations for various languages, such as Tamil. ​ Notification Customization: Choose the type of notifications displayed for device switching and mute status. ​ Support for Various Hotkey Combinations: Accepts single keys like PrintScreen, Pause, Home, End, and function keys as hotkeys. ​ System Tray Integration: Access settings and perform device switching directly from the system tray icon. ​ Device Grouping: Organize multiple devices into groups for streamlined switching. ​ User-Friendly Interface: Provides an intuitive setup and configuration process for users. ​ Open-Source Development: Available on GitHub for community contributions and transparency. ​ Regular Updates: Actively maintained with new features and bug fixes. ​ SoundSwitch 6.14.1 changelog: Bug Fixes settings: fix opening settings crashing the application when using CLI or opening SoundSwitch again (b3dca74) Languages Amharic: Added About translation using Weblate (8a40dab) Japanese: Translated About using Weblate (3541994) Japanese: Translated Settings using Weblate (ca5b2fe) Japanese: Translated Settings using Weblate (39a2340) Japanese: Translated Tray Icon using Weblate (1286b92) Japanese: Translated Update Download using Weblate (1c2c658) Norwegian Bokmål: Translated Settings using Weblate (5aaf243) Portuguese: Translated Settings using Weblate (e11f18d) Swedish: Translated Settings using Weblate (8b7b738) Download: SoundSwitch 6.14.1 | 45.4 MB (Open Source) View: SoundSwitch Website | Github | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Wow, the usual crowd is out in full force again — the trolls who think sarcasm is insight, the doom prophets who scream 'web apps = surveillance', and the armchair devs who still think Outlook 2003 was peak tech. Here’s a wild idea: maybe evaluate an app on what it does instead of what your paranoia imagines it’s doing. The new Outlook is fast, clean, and tightly integrated. No, it’s not perfect — what app is? But if your main tech critique is 'It’s different and Microsoft is evil', you’re not reviewing software. You’re just rehearsing your trust issues. Don't like it? Cool. But at least bring something to the table besides tired one-liners and Chicken Little routines. Some of us actually use this stuff and prefer practical feedback over pointless whining.
    • And they will only last thousands of years underground we don’t know where.
  • Recent Achievements

    • Reacting Well
      James courage Tabla earned a badge
      Reacting Well
    • Apprentice
      DarkShrunken went up a rank
      Apprentice
    • Dedicated
      CHUNWEI earned a badge
      Dedicated
    • Collaborator
      DarkShrunken earned a badge
      Collaborator
    • Rookie
      Pat-Garrett went up a rank
      Rookie
  • Popular Contributors

    1. 1
      +primortal
      341
    2. 2
      snowy owl
      167
    3. 3
      +FloatingFatMan
      163
    4. 4
      ATLien_0
      161
    5. 5
      Xenon
      128
  • Tell a friend

    Love Neowin? Tell a friend!