0

How can I stop users from logging in locally and force them login the domain. Some users are still logging in locally which we used prior to our recent conversion. I need to stop this immediately.

The domain controller is Windows 2008 Server and each workstation (except for one is Windows 7 Pro) is running Windows XP SP3.

DevNULL
  • 161
  • 1
  • 1
  • 7

3 Answers3

5

The best way to handle this is going to be to delete the local user accounts from the affected client computers. If the users know the local "Administrator" password on those machines, change it.

If the users' domain accounts have "Administrator" rights on the client computers, though, they can just create more local user accounts.

You could do this via a startup script if you don't want to perform this work manually. Here's a script to delete local user accounts:

Option Explicit 

Dim dictUsersToIgnore, objNetwork 
Dim colSourceAccounts, objSourceUser

' Debugging 
Const DEBUGGING = True 

' Source and destination computers 
Const SOURCE_COMPUTER = "." 

' Constants for comparison of accounts to ignore list 
Const MATCH_EXACT = 1 
Const MATCH_LEFT = 2 

' Accounts to ignore during copying 
Set dictUsersToIgnore = CreateObject("Scripting.Dictionary") 
dictUsersToIgnore.Add "SUPPORT_", MATCH_LEFT 
dictUsersToIgnore.Add "IUSR_", MATCH_LEFT 
dictUsersToIgnore.Add "IWAM_", MATCH_LEFT 
dictUsersToIgnore.Add "Administrator", MATCH_EXACT 
dictUsersToIgnore.Add "Guest", MATCH_EXACT 
dictUsersToIgnore.Add "HelpAssistant", MATCH_EXACT 
dictUsersToIgnore.Add "ASPNET", MATCH_EXACT 

' Should this account be ignored 
Function IgnoreObject(Name, dictNames) 
    Dim strToIgnore 

    IgnoreObject = False 

    For Each strToIgnore in dictNames 

        ' Match Exact 
        If (dictNames.Item(strToIgnore) = MATCH_EXACT) and (UCase(Name) = UCase(strToIgnore)) Then 
                IgnoreObject = True 
                Exit Function 
        End If 

        ' Match left 
        If (dictNames.Item(strToIgnore) = MATCH_LEFT) and (Left(UCase(Name), Len(strToIgnore)) = UCase(strToIgnore)) Then 
                IgnoreObject = True 
                Exit Function 
        End If 

    Next' strToIgnore 
End Function 

Set objNetwork = CreateObject("Wscript.Network") 

' Get accounts on source computer and loop through them, copying as necessary 
Set colSourceAccounts = GetObject("WinNT://" & SOURCE_COMPUTER) 
colSourceAccounts.Filter = Array("user") 
For Each objSourceUser In colSourceAccounts 

    If IgnoreObject(objSourceUser.Name, dictUsersToIgnore) = False Then 
        If (DEBUGGING) Then WScript.Echo "Deleting account: " & objSourceUser.Name 
        colSourceAccounts.Delete "user", objSourceUser.Name 
    Else 
        If (DEBUGGING) Then WScript.Echo "Ignoring account: " & objSourceUser.Name 
    End If 
Next ' objSourceUser

Add any usernames that should not be deleted to the dictUsersToIgnore list. MATCH_EXACT means that the username is matched exactly. MATCH_LEFT means that only the leftmost portion of username will be matched (i.e. imagine that the name match has a "*" after it).

This script is suitable for assiging as an AD startup script. Be careful how you scope it-- it can really ruin your day if you run it in the wrong place.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
0

You can use Restricted Group feature of Active Directory Group Policy. Second thing you should probably do, is to remain the local administrator account, this is also possible vi GP.

Taras Chuhay
  • 645
  • 3
  • 9
  • How is 'Restricted Groups' policy going to help with logons using local user accounts? Are you thinking of trying to remove the local user accounts from each machines' 'Users' group? – Evan Anderson Dec 22 '09 at 03:56
  • I am using this feature to replace local admins with the ones I define. Theoretically you can remove local Users with this feature. – Taras Chuhay Dec 22 '09 at 20:36
0

Explicitly define the GPO "Deny Logon Locally" to block all users that you wish to deny, and apply that to the OU that they live in... It may take a bit of jiggery-pokery to your AD schema, but that should solve all your issues...

  • There wouldn't be any modification to the AD schema required to do what you're talking about. (Modification to the AD schema is a fairly serious affair. Your batting around the terminology so loosely makes me think you don't know what you're talking about.) If the poster is going to go to all of the trouble of locating the SIDs for all of the local user accounts in all the SAM databases on all the PCs to add them to a GPO why not just go ahead and delete the local user accounts? – Evan Anderson Dec 22 '09 at 13:58
  • I used schema in the loosest sense of the word, not in the AD sense, you're right, that is a serious business. Having read the OP again, I thought he was trying to block domain users from logging on locally, which would be a relatively easy thing to prevent... Teach me to try and answer things before my morning coffee... –  Dec 23 '09 at 08:42