JSI Tip 1683. How do I restrict interactive logon at a workstation to members of the local Administrators group?.


Using NTRights, you can create a batch file that contains the following commands for each workstation you wish to restrict:


  ntrights -r SeInteractiveLogonRight -u "Backup Operators" - m \\<ComputerName>
  ntrights -r SeInteractiveLogonRight -u Everyone - m \\<ComputerName>
  ntrights -r SeInteractiveLogonRight -u Guests - m \\<ComputerName>
  ntrights -r SeInteractiveLogonRight -u "Power Users" - m \\<ComputerName>
  ntrights -r SeInteractiveLogonRight -u Users - m \\<ComputerName>
where <ComputerName> is the name of the workstation you want to restrict.

For the <ComputerName> you are working on, you don't need the -m \\<ComputerName> as the changes are made locally by default.

The above changes remove the right to logon locally from the listed local groups. If you have ordinary users in other local groups, add these local groups to the list. You can view the list of local groups by typing NET LOCALGROUP at a CMD prompt.

NOTE: You must be a member of the local Administrators group to run NTRights.

NOTE: NTRights is also availble in Supplement 4 of the Windows NT 4.0 Resource Kit.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish