GTwannabe 0 Posted September 22, 2004 I wrote a script to automatically install network printers on client machines. The intended clients will not be logging into the domain, so I need to specify a domain account and password to allow them to map to the printer share. I created a user "printonly", which I only need to authenticate users so they can reach the share. However, I do not want the "printonly" account to be able to interactively logon to desktops (effictively bypassing security if someone digs the username/pwd out of the install .EXE) There doesn't seem to be a simple way to do this in Windows Server 2003. 2000 had an option called "deny local logon"; this is what I want to accomplish. However, all the options I tried to restrict printonly's local logon ability have also affected its ability to access the printer share. How do I disable this account's ability to logon locally without also knocking out the printer share login? Share this post Link to post
GTwannabe 0 Posted September 22, 2004 I tried to deny all the logons except Batch for printonly, but it seems to make no difference. Sometimes active directory is sluggish about making those account updates, so I'll leave the changes and see if it kicks in later. Share this post Link to post
zen69x 0 Posted September 22, 2004 I just checked a 2k3 DC and Deny logon locally is still an option in group policy. It's under Computer config -> Windows settings -> Security Settings -> User Rights Assignment. Also, have you granted the account the Access this computer from the network right? Share this post Link to post
GTwannabe 0 Posted September 22, 2004 Where is "Computer Config"? I'm not seeing it. I have tried setting permissions in both "Domain Controller Security Policy" and "Domain Security Policy"; neither have any effect on printonly's ability to interactively login at a desktop machine. This one's got me puzzled... Share this post Link to post
zen69x 0 Posted September 22, 2004 Open Active Directory Users and computers. Right click on your domain and choose properties. Choose group edit tab and edit properties on your default domain policy. You will see computer configuration. This is what I was talking about earlier. Share this post Link to post
GTwannabe 0 Posted September 24, 2004 I've set "Deny Logon Locally" in the Group Policy Object Editor. Didn't make any difference; the printonly account was still able to interactively login at a desktop. I also created an OU called "Restricted Users" and put the printonly account in there. I edited the policy for the new OU as well, but it's still not preventing printonly from logging onto desktops. Share this post Link to post
zen69x 0 Posted September 24, 2004 Try placing moving a computer account into your Restricted users group and reboot it. This policy has to be applied to a computer for it to have effect. Share this post Link to post
GTwannabe 0 Posted September 24, 2004 *Duplicate Post* Ok, I'll try that. Share this post Link to post
