Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to restrict the login of AD users in Windows. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

As we all know, in Windows active Directory, domain users can log in on any domain computer by default. So how to stop this from happening?

A common method is to set the login to in the user properties in ADUC and specify the computer to which he can log in. There is also the security settings of the group policy on the client | Local policy | user rights assignment | "Log in locally" setting allows users and groups to log in on this computer. And then there is concurrent login, which we won't discuss here. Microsoft has a limitlogon tool that hasn't been used much. At least I'm down. I don't know where to start. It seems that these methods have a point, need to manually set the user's login properties one by one, which for large-scale environment, it will be a lot of work. To this end, I propose the following method, the main idea of which is to create a domain group policy to add the users who log in the most on the computer to "log in locally". But different machines and different users, how to solve this problem. My approach is to add a local user group to each client, add a group in the policy "Log in locally", and add the most users who log on to the client machine to this group. Creating local groups and adding users to groups can be achieved by script, thus solving the hassle of setting up one by one.

I am not very familiar with the script, many are written with reference to other scripts, perhaps some places are not very *.

Create a local group

There are two ways, a BAT script and a VBS script, using the script as the startup script.

1. BAT mode

Net localgroup LogonUser / add / comment: allow local login groups

2 、 VBS

StrComputer = "."

Set objComputer = GetObject ("WinNT://" & strComputer & ", computer")

Set objGroup = objComputer.Create ("group", "LogonUser")

ObjGroup.SetInfo

Second, find out the users who log in the most on the client side.

Whose machine, in general, of course, is who uses who logs in the most. So how to find this user? Login, by the way, audit. Then we have to log in to the policy in the domain and open it successfully. We just need to search who logged in the most successful audit logs. First of all, the problem to be solved is, how do I get a domain account on this machine?

After each domain account logs in, a record is written in the registry SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ ProfileList, and the following subkey is their SID. So I just need to read these SID. In turn, investigate and deal with users through SID.

Set oReg=GetObject ("winmgmts: {impersonationLevel=impersonate}!\" & _

StrComputer & "\ root\ default:StdRegProv")

StrKeyPath = "SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ ProfileList"

OReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

For Each subkey In arrSubKeys

If left (subkey,40) = "Smuri 1-5-21-3417139075-3398302879-647143828" Then

'compare SID and count only domain accounts. The above line is the first paragraph of the domain user SID and should belong to the domain ID.

Set objWMIService = GetObject ("winmgmts:\\" & strComputer & "\ root\ cimv2")

Set colItems = objWMIService.ExecQuery _

("Select * from Win32_UserAccount Where LocalAccount='False' And SID='" & subkey & "'")

For Each objItem in colItems

LogonTimes=CountLogon ("cotoso\" & objitem.Name)

'function CountLogon, which counts the number of events successfully audited in the event log\ security

Function CountLogon (Username)

StrComputer = "."

Set objWMIService = GetObject ("winmgmts: {(Security)}\\" & _ strComputer & "\ root\ cimv2")

Set colEvents = objWMIService.ExecQuery

_ ("SELECT * FROM Win32_NTLogEvent WHERE LogFile = 'Security' AND" & _

"EventCode = 528 AND User ='" & username & "'") 'users of statistical event 528

CountLogon=colEvents.Count end Function

This is the end of the article on "how to restrict the login of AD users in Windows". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.