Help
I wrote a script to automatically install network printers on client machines. The intended clients will not be logging into the domain, so I need to specify a domain account and password to allow them to map to the printer share. I created a user "printonly", which I only need to authenticate users so they can reach the share.
However, I do not want the "printonly" account to be able to interactively logon to desktops (effictively bypassing security if someone digs the username/pwd out of the install .EXE) There doesn't seem to be a simple way to do this in Windows Server 2003.
2000 had an option called "deny local logon"; this is what I want to accomplish. However, all the options I tried to restrict printonly's local logon ability have also affected its ability to access the printer share.
How do I disable this account's ability to logon locally without also knocking out the printer share login?
Page 1 of 1
Denying Win 2003 Active Directory Users Local Logon
#2
GTwannabe 
- member
- Group: Members
- Posts: 198
- Joined: 03-June 01
Posted 22 September 2004 - 06:39 PM
I tried to deny all the logons except Batch for printonly, but it seems to make no difference. Sometimes active directory is sluggish about making those account updates, so I'll leave the changes and see if it kicks in later.
#3
zen69x
- member
- Group: Members
- Posts: 125
- Joined: 26-March 02
Posted 22 September 2004 - 07:31 PM
I just checked a 2k3 DC and Deny logon locally is still an option in group policy.
It's under Computer config -> Windows settings -> Security Settings -> User Rights Assignment.
Also, have you granted the account the Access this computer from the network right?
It's under Computer config -> Windows settings -> Security Settings -> User Rights Assignment.
Also, have you granted the account the Access this computer from the network right?
#4
GTwannabe
- member
- Group: Members
- Posts: 198
- Joined: 03-June 01
Posted 22 September 2004 - 10:00 PM
Where is "Computer Config"? I'm not seeing it.
I have tried setting permissions in both "Domain Controller Security Policy" and "Domain Security Policy"; neither have any effect on printonly's ability to interactively login at a desktop machine.
This one's got me puzzled...
I have tried setting permissions in both "Domain Controller Security Policy" and "Domain Security Policy"; neither have any effect on printonly's ability to interactively login at a desktop machine.
This one's got me puzzled...
#5
zen69x
- member
- Group: Members
- Posts: 125
- Joined: 26-March 02
Posted 22 September 2004 - 11:37 PM
Open Active Directory Users and computers. Right click on your domain and choose properties. Choose group edit tab and edit properties on your default domain policy. You will see computer configuration. This is what I was talking about earlier.
#6
GTwannabe
- member
- Group: Members
- Posts: 198
- Joined: 03-June 01
Posted 24 September 2004 - 05:46 PM
I've set "Deny Logon Locally" in the Group Policy Object Editor. Didn't make any difference; the printonly account was still able to interactively login at a desktop.
I also created an OU called "Restricted Users" and put the printonly account in there. I edited the policy for the new OU as well, but it's still not preventing printonly from logging onto desktops.
I also created an OU called "Restricted Users" and put the printonly account in there. I edited the policy for the new OU as well, but it's still not preventing printonly from logging onto desktops.
Share this topic:
Page 1 of 1