Dyonysus 2007-10-03 09:04:48
i have just a question for you:
is it possible to have or/and to create an account on windows OS and don’t
allow to anyone to login with this account, except the administrator user?
thank you in advance
John bean 2007-10-03 09:04:52
The administrator creates the account and doesn’t tell
anyone else the password…
Have I missed something in your question?
Dyonysus 2007-10-03 09:04:53
sure, if i would know that around wouldn’t be hackers and programs like Jena
the problem is:
i need such accounts, different from Administrator, because of some
But at the same time i wouldn’t anyone can log in with this accounts on
local or from Active directory on my server…
i hope it’s a little more clear this time…
John bean 2007-10-03 09:04:55
I’m afraid it’s still clear as mud. If they don’t have a
password for the account or have admin rights on the PC in
question how can they log in?
Dyonysus 2007-10-03 09:04:56
hackers don’t need to know password, they brute force the passwords….so to
prevent it you should monitor all the accounts on every server …and you
know..it costs money!
i would keep under control only administrator account…
John bean 2007-10-03 09:04:56
If you’re administering lots of servers and have to ask a
question like this you’re well out of your depth.
Best of luck.
Dyonysus 2007-10-03 09:04:57
well…i thought that someone better than me could help me in this
depth…but as i see i still didn’t find this one….
thanx the same
Philip herlihy 2007-10-03 09:04:58
It would help if you told us what resources these accounts needed to
have access to, and why they need to be separate accounts.
Dyonysus 2007-10-03 09:04:59
are you preparing a penetration test?
well…i have a software that makes orchestration and throught it we should
log in on the machine.
for security i would allow to log in by it only with administrator user…
but i must have also other users, for applications needs….but at the same
time i don’t want that someone could log in in local with those users:
people must log in throught the orchestration software….
Philip herlihy 2007-10-03 09:05:00
You can control the privileges of individual accounts or groups using
Local Security Policy, which is in Control Panel under Administrative
Tools (XP), or Start, Run “secpol.msc”. If you’re working with a domain
(Active Directory) look also at the Group Policy Editor (gpedit.msc).
Have a look at the “Deny Logon Locally” option. To find this setting,
open Local Security Policy, Security Settings, Local Policies, User
Rights Assignment. See:
Be careful, or you can lock yourself (or even everyone) out of the machine!
I’m not very clear about what you are trying to do (what do you mean by
orchestration?). If you are building an application which manages
access to Windows (so that users log on through your application and
cannot do anything else) you have a lot of security problems as
experienced Windows users will find ways to get around it.
Otherwise, I assume users will log onto Windows first and then run your
application. In that case it will be simpler to assign user accounts to
groups, and then manage access to your application by setting file
permissions for those groups. Within your application code you could
also test to see if the current user is a member of a particular group.
So, I would look into setting file permissions for users by groups
first, and then investigate Local Security Policy and Group Policy if
you need further controls.
Dyonysus 2007-10-03 09:05:02
thank you very much Philip…
your answer is so exhaustive!