NT Gatekeeper: Restrict Workstation Logons

Get answers to your security-related NT questions

\[Editor's Note: Do you have a security-related question about Windows NT 4.0? Send it to [email protected], and you might see the answer in this column!\]

I work at a large IT services company that comprises several technology practices. The company's consultants share a common pool of desks and computers. Every computer is grouped into a practice pool. Computers belonging to the same practice pool hold the same set of applications and data. For simplicity's sake, management doesn't want consultants to use a computer from a practice pool other than their own. For this setup, I want to use the Logon Workstations account property, which limits the workstations from which users can log on to their global domain account. How can I use this property given that every practice pool consists of more than 30 computers?

The problem with the Logon Workstations account property is that it holds a maximum of only eight workstations. Instead of using the Logon Workstations account property, you can create a customized logon script that automatically logs users off when they try to log on to systems outside their practice pool. Windows NT 4.0 executes logon scripts right after a valid user logon sequence occurs.

To set up a custom logon script, create a username.computername file in your domain controller's (DC's) Netlogon share for every computer you want to enable a user to log on to. Remember that an NT DC's Netlogon share is linked to the \%systemroot%\winnt\system32\repl\import\scripts directory. The username.computername files are empty; only their filename is relevant to the solution. Open the user's domain logon script (also in the Netlogon share), and add the following lines at the beginning of the script:

if exist %logonserver%\netlogon\%username%.%computername% goto ok
  logoff /f /n

where logonserver is the user's logon server, username is the user's account name, and computername is the computer's account name. The first line is a conditional If statement that checks for the existence of a username.computername file in the DC's Netlogon share. If such a file exists, the script proceeds to the third line and allows the logon. If such a file doesn't exist, the script proceeds to the second line, which contains a Logoff statement that logs the user off the system. The Logoff command-prompt tool is available in the Microsoft Windows NT Server 4.0 Resource Kit (make sure that you copy this tool to every workstation). To force a logoff without a user confirmation and without a prompt to save unsaved data, I added the /f switch (i.e., no prompt to save unsaved data before logoff) and the /n switch (i.e., no user confirmation before logoff).

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.