none
If username starts with... logoff! RRS feed

  • Question

  • Hi there!

    I need guidance to write a simple script.

    Basically, during a logon:
    "If user starts with XYZ, then logoff"

    I could not find any example to help me :(

    Thanks in advance!


    Emilio MANSUR - MCSE:Security; MCSE+I, MCT - http://www.mansur.eti.br

    Monday, January 11, 2016 8:27 PM

Answers

  • Why? Just disable the accounts you don't want to log on. Alternatively, limit which workstations restricted users can log on to. You can do either of these without needing a script.

    -- Bill Stewart [Bill_Stewart]

    Monday, January 11, 2016 9:03 PM
    Moderator

All replies

  • Why? Just disable the accounts you don't want to log on. Alternatively, limit which workstations restricted users can log on to. You can do either of these without needing a script.

    -- Bill Stewart [Bill_Stewart]

    Monday, January 11, 2016 9:03 PM
    Moderator
  • Hi,

    i absolutely agree to Bill!

    Can you explain, why you try to achieve this?

    Regards

    Eric


    Microsoft MVP Cloud and Datacenter Management
    Microsoft Partner Technical Solutions Professional (P-TSP)
    --
    www.ericberg.de
    @ericberg_de
    --
    MCSE: Enterprise Devices and Apps | MCSE: Private Cloud | MCSE: Server Infrastructure | MCSE: Desktop Infrastructure

    Monday, January 11, 2016 9:09 PM
  • Thank you Bill and Eric!

    And forgive my mistake.
    The correct "problem" is:

    "If username starts with XYZ, then logon. If not, logoff"

    Here I have a really big environment (+ 9,000 servers) and I have some servers that need to be accessed by RDP for only a small group of users. We can identify these users by their usernames.

    For particular reasons (some internal software, I think), we can't use groups. :(


    Emilio MANSUR - MCSE:Security; MCSE+I, MCT - http://www.mansur.eti.br

    Monday, January 11, 2016 10:09 PM
  • The correct answer to this problem is to use groups. We would have to know why you cannot use groups. Using a script is not a good way to do this.

    -- Bill Stewart [Bill_Stewart]

    Monday, January 11, 2016 10:18 PM
    Moderator
  • Otherwise you could use a GPO to configure RDP Users...if not available with Groups do it with users.

    For different Servers you can have different GPO settings.


    Microsoft MVP Cloud and Datacenter Management
    Microsoft Partner Technical Solutions Professional (P-TSP)
    --
    www.ericberg.de
    @ericberg_de
    --
    MCSE: Enterprise Devices and Apps | MCSE: Private Cloud | MCSE: Server Infrastructure | MCSE: Desktop Infrastructure

    Monday, January 11, 2016 10:20 PM
  • The supposed restriction does not make sense. Restricting RDP logon via Windows security has nothing whatsoever to do with applications running on RDP servers.

    -- Bill Stewart [Bill_Stewart]

    Monday, January 11, 2016 11:17 PM
    Moderator
  • Thank you Bill and Eric!

    And forgive my mistake.
    The correct "problem" is:

    "If username starts with XYZ, then logon. If not, logoff"

    Here I have a really big environment (+ 9,000 servers) and I have some servers that need to be accessed by RDP for only a small group of users. We can identify these users by their usernames.

    For particular reasons (some internal software, I think), we can't use groups. :(


    Emilio MANSUR - MCSE:Security; MCSE+I, MCT - http://www.mansur.eti.br

    This is nonsense.  Why would a pice of software not like groups.  Every user is a member of many groups.

    Use standard mechanisms for managing your environment.  Do not try to force the system to comply with your lack of knowledge and experience.  It will only come back to cause problems oin the future,

    If you have a diesel car don't insist on running it on gasoline because that is all you know how to buy.  THe car will be ruined.


    \_(ツ)_/

    Monday, January 11, 2016 11:30 PM
  • I would use a GPO, a script is not the answer.

    Example of the policy below.

    The simplest way to resolve this issue is to add your thin client users into the Remote Desktop Users Group (or any other group for that matter) then grant that OU the "Allow log on through Remote Desktop Services" ("Terminal Services" in pre 2008 R2 releases) via:

    • Start > Run > gpedit.msc
    • Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Management
    • Select: Allow log on through Remote Desktop Services
    • Add Remote Desktop Users to the Policy.
    • To apply the changes: Start > Run > gpupdate /force

    Tuesday, January 12, 2016 12:21 AM
  • Thank you for all your answers.

    Now I have sufficient opinions that not using groups or GPO are a bad idea.
    Time to schedule a meeting and show the right way to deal with it.


    Emilio MANSUR - MCSE:Security; MCSE+I, MCT - http://www.mansur.eti.br

    Tuesday, January 12, 2016 12:24 AM