2022-04-05

Deny User or Group to Sign in Locally in Windows 10

From <https://winaero.com/deny-user-group-sign-in-locally-windows-10/>

From: https://community.spiceworks.com/topic/216823-implications-of-removing-nt-authority-authenticated-users-user-from-users-list

Andre Canis Jalapeno Best Answer Andre Canis Apr 17, 2012 at 6:08 AM A better way would be to do it in the security policy (secpol.msc)

Security Settings > Local Policies > User Rights Assignments > Allow log on locally. Remove the “Users” group from this policy and add those users you want to allow to log on.

From: https://community.spiceworks.com/topic/199167-active-directory-2008-r2-control-user-login-to-computer

ChristopherO Mace ChristopherO Feb 15, 2012 at 6:54 AM You could certainly do this in 2003. If you want to be granular, you will need to update the Users group on each computer - remove Domain Users and add in the specific accounts/groups that can log into that computer. If it's going to be the same for a large number of computers (ie, users in the Sales group can log into any computer in the Sales department) you can use Restricted Groups in Group Policy - just remember, with Restricted Groups it will remove ALL other users/groups from that local computer group and ONLY allow in what you set in the policy. From: https://community.spiceworks.com/topic/338040-how-to-stop-domain-users-from-logging-into-my-pc From: https://community.spiceworks.com/topic/126427-restrict-certain-users-from-login-on-certain-computers From: http://windowsitpro.com/security/restricting-interactive-user-logons </WRAP> ====== Remote Login Active Directory ====== Local Secpol.msc security “Allow login Through Terminal Services” ====== PowerBroker Identity Services ====== From: http://www.powerbrokeropen.org/ Download: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True linux login active directory <code> RE:[linuxadmin-l] Centralized Login Solution For All The Linux And AIX Inbox JJ_AIX Reply from JJ_AIX on Sep 14 at 4:03 PM Thanks guys , I appreciate it , I saw … 2:34 PM (22 hours ago) nawzs-se 12:55 AM (12 hours ago) Reply from nawzs-se on Sep 15 at 12:49 AM Well, Powerbroker Open is free, if you can manage without a support agreement. .. It'll take care of the unified logon, the paid version can also handle GPOs for your linux and unix systems. On the other hand, we use sssd and that one works well too. One small but important difference between the two setups is that with sssd (or nslcd) you need to set the unix attributes in your ldap directory ( such as uid,gid,unixhome and loginshell). If you go with Powerbroker it'll take care of that for you by hashing the SIDs for uid, gid and assigning defaults for the rest. Defaults are customizable. </code> ====== rd-gateway-ports-and-certificates ====== From: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a241a5be-e39d-4dfc-a513-e4f83c4dc906/rd-gateway-ports-and-certificates?forum=winserverTS <code> In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes: To authenticate users To authorize users To resolve the DSN names of internal resources To forward RDP packets from the client To get the Certificate Revocation List To send RADIUS requests (in a central NPS server scenario) </code> ====== ADSI Edit ====== From: https://technet.microsoft.com/en-us/library/Bb124152%28v=EXCHG.65%29.aspx?f=255&MSPPError=-2147217396 <code> ADSI Edit is implemented as a snap-in that runs in the Microsoft Management Console (MMC). The name of the default console containing ADSI Edit is AdsiEdit.msc. You can add the snap-in to any .msc file through the Add/Remove Snap-in menu option in the MMC, or you can just open the AdsiEdit.msc file from Windows Explorer. </code> ====== Backup of Active Directory ====== From: http://support.microsoft.com/kb/888794 An Active Directory domain controller requires regular system state backups to recover from user, hardware, software, or environmental problems. The default useful life of a system state backup is 60 or 180 days, depending on the operating system version and the service pack revision at play during the installation. This useful life is controlled by the tombstone lifetime attribute in Active Directory. At least one domain controller in every domain in the forest should be backed up every tombstone lifetime number of days. Note the value in the Value column. If the value is <not set>, the value is 60 days. ====== Things to consider when you host Active Directory domain controllers in virtual hosting environments ====== From: http://support.microsoft.com/kb/888794 Virtualized DCs in clustered hosts In order for the nodes, disks and other resources on a clustered computer to auto-start, authentication requests from the clustered computer must be serviced by a DC in the cluster computer's domain. To insure that such a DC exists during cluster OS startup, deploy at least 2 domain controllers in the clustered host computer's domain on physical hardware. The physical DCs should be kept online and be network accessible (in DNS + all required ports and protocols) to the clustered hosts. If the only DC’s that can service authentication request during cluster startup reside on a cluster computer that is being restarted, authentication requests will fail and manual recovery steps will be required to make the cluster operational. Note: Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure can start. ====== Free Active Directory Tools ====== From: http://www.manageengine.com/products/free-windows-active-directory-tools/free-active-directory-tools-index.html ADManager Plus presents a complete suite of Active Directory tools that will certainly help the Windows Active Directory administrators and users in efficient handling of all the Active Directory Data. You can download 'RIGHT NOW' the entire suite at absolutely NO COST!. ====== Permissions Analyzer for Active Directory ====== From: http://www.solarwinds.com/downloads/ Not a whole lot of help can get same results from going to folder or file and checking permissions ====== JXplorer The World's Finest Ldap Browser ====== http://jxplorer.org/ JXplorer is an open source ldap browser originally developed by Computer Associates' eTrust Directory development lab. It is a standards compliant general purpose ldap browser that can be used to read and search any ldap directory, or any X500 directory with an ldap interface. It is available for immediate free download under a standard OSI-style open source licence. See: https://confluence.atlassian.com/display/DEV/Identifying+Active+Directory+connection+details for details of configuration parameters for Active Directory ====== Microsoft Active Directory Credentials ====== From: https://confluence.atlassian.com/display/DEV/Identifying+Active+Directory+connection+details ad.atlassian.com is the DNS name of our AD server so that's how we worked out CN=Administrator,CN=Users,DC=ad,DC=atlassian,DC=com. We prefixed each part of the DNS name with DC (which stands for Domain Component). Any folders or subfolders that branch from the server, we prefix with CN, hence CN=Administrator,CN=Users,DC=ad,DC=atlassian,DC=com (as the Administrator user account sits in the Users folder). Please specify the full name of the account for CN. So, if the user is John Smith, you would use: CN=John Smith,CN=Users,DC=ad,DC=atlassian,DC=com For baseContext, just specify DC=ad,DC=atlassian,DC=com (the DNS name prefixed with DC's) https://confluence.atlassian.com/download/attachments/164873/jxplorer_connect.gif?version=1&modificationDate=1141791701655&api=v2