Prohibit Logon to Workstation

TheMSsForum.com: The Microsoft Software Forum

Hi,

I would like to know if it is possible to prohibit specific users
within a Win2k domain from logging into the domain on a Win2k or Xp
workstation using vbscript.

Any web or print resouces that you could recommend would be
appreciated.

Many thanks,

-shrader
Top

Re: Prohibit Logon to Workstation by JHP

JHP
Thu Sep 15 09:02:53 CDT 2005

Two separate methods...

The first one to set the Logon Hours and the second to disable the account.
My preferred method is to create a GPO and set the Logon Hours manually.

http://support.microsoft.com/default.aspx?scid=kb;en-us;816666

http://www.rallenhome.com/books/adcookbook/src/06.12-enable_disable_user.vbs.txt

HTH

"shrader" <shrader@hotmail.com> wrote in message
news:td7hi15gtav0bjne9g3lsh9fc2kr9elopc@4ax.com...
> Hi,
>
> I would like to know if it is possible to prohibit specific users
> within a Win2k domain from logging into the domain on a Win2k or Xp
> workstation using vbscript.
>
> Any web or print resouces that you could recommend would be
> appreciated.
>
> Many thanks,
>
> -shrader
>
>
>


Top

Re: Prohibit Logon to Workstation by shrader

shrader
Fri Sep 16 05:30:42 CDT 2005

Would this work for one or two specific users? I would be unable to
disable the account because it is needed elsewhere. Likewise, GPO
would not be possible for me. I only want to prohibit the account from
being used on specific workstations.

Is there a way to script an automatic logoff based on a specific user
name or if a user resides in a specific domain security group?

-shrader


On Thu, 15 Sep 2005 10:02:53 -0400, "JHP" <goawayspam@GFY.com> wrote:

>Two separate methods...
>
>The first one to set the Logon Hours and the second to disable the account.
>My preferred method is to create a GPO and set the Logon Hours manually.
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;816666
>
>http://www.rallenhome.com/books/adcookbook/src/06.12-enable_disable_user.vbs.txt
>
>HTH
>
>"shrader" <shrader@hotmail.com> wrote in message
>news:td7hi15gtav0bjne9g3lsh9fc2kr9elopc@4ax.com...
>> Hi,
>>
>> I would like to know if it is possible to prohibit specific users
>> within a Win2k domain from logging into the domain on a Win2k or Xp
>> workstation using vbscript.
>>
>> Any web or print resouces that you could recommend would be
>> appreciated.
>>
>> Many thanks,
>>
>> -shrader
>>
>>
>>
>

Top

Re: Prohibit Logon to Workstation by nospam

nospam
Fri Sep 16 14:28:38 CDT 2005

You could have the script run when the pc logs in by defining it in the
machines GPO.
Here is a script that will check the users group:

' ---------------------------------------------------------------
' From the book "Active Directory Cookbook" by Robbie Allen
' Publisher: O'Reilly and Associates
' ISBN: 0-596-00466-4
' Book web site: http://rallenhome.com/books/adcookbook/code.html
' ---------------------------------------------------------------

' ------ SCRIPT CONFIGURATION ------
strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

set objUser = GetObject("LDAP://" & strUserDN)
Wscript.Echo "Group membership for " & objUser.Get("cn") & ":"
strSpaces = ""
set dicSeenGroup = CreateObject("Scripting.Dictionary")
DisplayGroups "LDAP://" & strUserDN, strSpaces, dicSeenGroup

Function DisplayGroups ( strObjectADsPath, strSpaces, dicSeenGroup)

set objObject = GetObject(strObjectADsPath)
WScript.Echo strSpaces & objObject.Name
on error resume next ' Doing this to avoid an error when memberOf is
empty
if IsArray( objObject.Get("memberOf") ) then
colGroups = objObject.Get("memberOf")
else
colGroups = Array( objObject.Get("memberOf") )
end if

for each strGroupDN In colGroups
if Not dicSeenGroup.Exists(strGroupDN) then
dicSeenGroup.Add strGroupDN, 1
DisplayGroups "LDAP://" & strGroupDN, strSpaces & " ",
dicSeenGroup
end if
next

End Function

Otherwise, you can check the environment variable on login for the
username. Then just force a logoff.

Top

Re: Prohibit Logon to Workstation by Rafael

Rafael
Sat Sep 17 22:12:54 CDT 2005

Shrader,

Instead of doing this on a script, why not changing the login permissions on
the specific workstations for specific users.

Use the security MMC and add the names into the "deny logon locally"
permission.

It might be easier this way.
Rafael

"shrader" <shrader@hotmail.com> wrote in message
news:re7li194m6opjhd8n01cvpgk6u955uubqq@4ax.com...
> Would this work for one or two specific users? I would be unable to
> disable the account because it is needed elsewhere. Likewise, GPO
> would not be possible for me. I only want to prohibit the account from
> being used on specific workstations.
>
> Is there a way to script an automatic logoff based on a specific user
> name or if a user resides in a specific domain security group?
>
> -shrader
>
>
> On Thu, 15 Sep 2005 10:02:53 -0400, "JHP" <goawayspam@GFY.com> wrote:
>
>>Two separate methods...
>>
>>The first one to set the Logon Hours and the second to disable the
>>account.
>>My preferred method is to create a GPO and set the Logon Hours manually.
>>
>>http://support.microsoft.com/default.aspx?scid=kb;en-us;816666
>>
>>http://www.rallenhome.com/books/adcookbook/src/06.12-enable_disable_user.vbs.txt
>>
>>HTH
>>
>>"shrader" <shrader@hotmail.com> wrote in message
>>news:td7hi15gtav0bjne9g3lsh9fc2kr9elopc@4ax.com...
>>> Hi,
>>>
>>> I would like to know if it is possible to prohibit specific users
>>> within a Win2k domain from logging into the domain on a Win2k or Xp
>>> workstation using vbscript.
>>>
>>> Any web or print resouces that you could recommend would be
>>> appreciated.
>>>
>>> Many thanks,
>>>
>>> -shrader
>>>
>>>
>>>
>>
>


Top