prevent new user creation?


Recommended Posts

I've wondered about this for a long time.

In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

How can one prevent this??

I think the same would happen on a standalone box, too.

What I would like is a way such that no new users can be added to any XP box in any way except when explicitly created by an administrator on that local box (this would be after setup, when the requisite administrator and additional user are created for using the box).

Thank you, Tom

Link to comment
https://www.neowin.net/forum/topic/605812-prevent-new-user-creation/
Share on other sites

Im not sure I fully understand your question but I will have a go...

Firstly if you make all other user account types on the PC to "Limited Account" I dont think they can create new users.

Secondly have a look at your Group Policy Editor (Start, Run, "gpedit.msc"). It is a powerful tool to control such things. There is in fact a whole section called "User Rights Assignment" so I would have a look in there.

Hope that helps?

Jonny

PS I had a quick look in there and couldn't see exactly what you were after but I am sure I have seen it in there before, just a case of finding it...good luck!

post-47587-1197240838_thumb.jpg

Hi Jonny,

I'm aware of group policy, but I also don't know what policy settings would be involved, but User Rights Management might be where I could start...at least in the local group policy etc.

As to limited users vs. admins, I'm completely aware of this, but that's not what I am talking about.

I'll try one more time to explain the scenario I want to avoid.

You have an XP box in a domain which requires Ctrl-Alt-Del to log in.

Person, anyone, walks up to XP box, hits C-A-D, types in legit domain ID/password, boom!!

New user profile on the box, new desktop, person can proceed to do work, mess with files, etc.

Has nothing to do with type of user, has everything to do with XP allowed a domain logon of an ID/pass that should not be logging in locally to that XP box.

Same would happen if you logged in to the XP box as a domain admin.

What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass.

Clearer now??

Thanks, Tom

  tom12010 said:
In either a domain or standalone XP box, especially in a domain, anyone who can type Ctrl-Alt-Del can get to a login prompt and enter a valid user ID and password and get logged in at that XP box (with a new desktop, profile, etc.) and therefore be a user and probably an administrator of that box.

In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

  Joel said:
In a domain, any user can log onto any machine, unless explicitly denied in their profile, but they will not be administrators unless you've added the Domain Users group to the local Administrators group. If you want to deny users the rights to logon to all PCs in a domain, open the user profile in Active Directory Users and Computers and go to the Account tab. You have a button there marked Log On To... User that to define which PCs the users can use.

I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

  tom12010 said:
I don't want to deny all users the right to logon to all PCs in a domain...just deny new user logons on any one PC.

But I will see if I can find that item in the LOCAL user group policy.

I want to do what I'm talking about on a PER-MACHINE basis, not domain-wide (aka all PCs or all users in the domain).

Thanks, tom

Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

  Joel said:
Yes, if you follow what I said you can achieve this on a per-machine basis. You deny users in your domain logon rights to machine that are not approved in their profiles. You said, "What I want is absolutely no logins allowed to the local XP box unless the account already exists locally on the box, even if the person has used a valid domain login ID/pass." If they can't logon to a machine unless said machine is in their profile, that meets your requirements.

Why do you want to do this exactly?

Security mainly. I understand that you're talking about the machine's properties in ADUC within the domain. However, I would like to have this work regardless of whether the XP box is in a domain or not, so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

However, I will try this in ADUC and see what happens.

Thank you, Tom

  tom12010 said:
so I'd like to also find a way to do this in the local XP box's Local User Rights Assignment or Local Security Policy...

Don't make anyone an admin, then they can't create accounts. Simple.

  tom12010 said:
Security mainly.

In a domain, what part of what you want to do makes the computer more secure?

  • 1 year later...

Easy...

Create a group policy object, scope it down to an active directory group, fill up the group with machine accounts that you want to aim the policy at.

Remove authenticated users from the scope, purely put the AD group into the scope.

Attach group policy object to the OU the machines sit in, if you need to create a new sub OU and group the machines, do so.

(You might not need to remove authenticated users from the scope if you create an entirely new OU, just be careful what gets dropped into that OU)

In the policy, edit the computer settings and find:

Computer Configuration

(2008 only) Policies

Windows Settings

Security Settings

Local Policies

User rights assignment

Deny logon locally

Enter the groups / accounts within that element to stop a user with a domain account walking up to the box and being able to login locally.

Remember if you add "Domain users" it will affect anyone part of the domain users group, including administrators.

Be careful what you put in this element...

Wait for or force replication, update the policy on the client, result.

What you can not do, is set an option that will only allow login on detection of a local profile already existing.

I'd say this was more down to your delegation model as to whom can logon to the box locally and who can't.

Sort that out and you won't need to worry about whether a profile already exists.

If you want to do this on boxes that are not on a domain it's certainly do-able but far harder to administer, maintain and ultimately recover from if you ever get locked out. You can just use secpol.msc to open up the local security policy on the machine and configure it. If you want to maintain this across the board, set the options as part of the image for the PC then sysprep it before deployment (if you use automated builds). Otherwise there might be some sort of batch you can run with admin credentials to manipulate the registry and set this manually, I'm not overly sure.

Paul

Edited by D1m3b4g
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • how big is your HDD that only has 100gb left? I take it this the main drive.  Is this a pc or laptop? I ask because changing hdd in pcs are much easier. You sure a good clean/purge of data wouldn't clear up space - have you ran disk cleanup? Which is part of windows..  You can for sure move data to your external drive, install programs to it, etc - but using it to store updates?   
    • How to record screen as GIF in Windows 11 by Taras Buria The Snipping Tool app is already quite a capable program for screenshots and screen recordings. Still, there is always room for improvement, and many users agree that the app needs the ability to save screen recordings as GIFs. Microsoft heard those users, and recent updates introduced the long-requested feature, allowing you to record your screen as a GIF. Here is how to do it. Record screen as a GIF in Windows 11 Note: By the time of publishing this article, GIF support in Snipping Tool is only available to Windows Insiders. However, you can enable that feature on stable Windows 11 releases as well; here is how: Go to store.rg-adguard.net, select ProductID in the first drop-down, paste 9MZ95KL8MR0L into the search box, and select Fast in the last drop-down. Press the checkmark button. Find and download Microsoft.ScreenSketch_2022.2505.21.0_neutral_~_8wekyb3d8bbwe.msixbundle in the list of apps. The version number could be newer, just make sure you are downloading an msixbundle file. Note that the browser will warn you about downloading a potentially harmful file. Open the file and click Update. Download ViveTool from GitHub and unpack the files in a convenient and easy-to-find folder. Run Command Prompt as Administrator and navigate to the folder containing the ViveTool files with the CD command. For example, if you have placed ViveTool in C:\Vive, type CD C:\Vive. Type vivetool /enable /id:47081492 and press Enter. The steps above might seem a bit tedious, but that is the only way to get GIF support in Snipping Tool without enrolling your device in the Windows Insider program. We will update the article once the feature is publicly available, so there is no need to jump through all the hoops just to make it work. Tip: You can always roll back Snippint Tool to the latest version from the Microsoft Store by uninstalling it and downloading it again. Now, with GIF support enabled in Snipping Tool, here is how to save a screen recording as a GIF in Windows 11: Press Win + Shift + S, select screen recording mode and record whatever you want. After the recording is over, Snipping Tool will open your video so that you can view, trim, or save it. At this point, all you have to do is click the GIF button in the upper-right corner. On the next screen, select your GIF quality and click Export to save as a file or Copy to copy it to the clipboard. And that is how you save screen recordings as GIFs in Windows 11. Note that Snipping Tool can only save GIFs for up to 30 seconds. Anything beyond that will be cut off. You might think that Clipchamp, Windows 11's built-in video editor, is a good option when you want to save a screen recording as a GIF. However, it really sucks at that. The video duration is capped at just 15 seconds, which is even worse than the Snipping Tool, and the output resolution is hilariously low. The latter makes it impossible to distinguish any details, and all you get is a blurry, pixelated mess. No, Clipchamp is not a good option for that. If you want to create GIFs that are longer than 30 seconds, a good option is to go with apps like ShareX, which is extremely flexible and customizable (and also free, which makes it one of our favorite must-have apps for Windows 11). Alternatively, you can record a video using the Snipping Tool and then convert it to a GIF using web-based services like Ezgif, another great free utility. Keep in mind that the larger your video resolution and the longer its duration, the bigger the final GIF size. Depending on the settings, GIFs could reach hundreds of megabytes, so you have to set your expectations correctly (and so do the settings, too).
    • I'll give you an example of "the settings problem." As awful as the HP Smart app is, it's magnitudes more useful than Settings when I need to do some deep dive stuff on my HP Officejet.
    • I hate to defend Apple but this marketing and they are only "desperate" to move from #3 to #1 for biggest company in the world.
    • There's very granular stuff in the legacy Control Panel that will probably never be accessible from settings. But that stuff will still be there if you know where to look.
  • Recent Achievements

    • Week One Done
      habso earned a badge
      Week One Done
    • Week One Done
      DXB APPS earned a badge
      Week One Done
    • One Month Later
      DecaffKnight94 earned a badge
      One Month Later
    • Dedicated
      S.P earned a badge
      Dedicated
    • One Month Later
      adxnksd42031 earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      661
    2. 2
      ATLien_0
      252
    3. 3
      Michael Scrip
      234
    4. 4
      Steven P.
      151
    5. 5
      +FloatingFatMan
      148
  • Tell a friend

    Love Neowin? Tell a friend!