none
HOWTO allow LDAP logon on AD but BAN Windows LOGON to some compurter RRS feed

  • Question

  • Hi,

    My company work in domain invironment,

    In this time, we allow user domain can login to all computer, and some website login via LDAP work fine!

    We want to retrict access, so we need one user domain only login to one computer and still access via some website via LDAP.

    We config:

    With user domain (abc) We set 'Log on To...' on user domain properties and set computer name (ABC) => so user domain (abc) only login computer with name (ABC) work fine. But user domain (abc) can't login some website via LDAP too :(

    anyone can help?

    Friday, September 4, 2020 6:19 AM

Answers

  • Hi,

    hunt for failed logon events on the DCs and look for the exact source names. If memory serves, you may want to put the DCs on the list.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    • Marked as answer by mr_sudo Tuesday, September 8, 2020 9:32 AM
    Tuesday, September 8, 2020 5:25 AM

All replies

  • Hi,

    you can achieve this by denying interactive logon rights to all workstations except for those where logon should be allowed.

    Alternatively, if you insist on using the Log On To... functionality, you'll need to add the names of all hosts doing LDAP against the domains to the Log On To... list


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Friday, September 4, 2020 10:01 AM
  • Hi Smirnov,

    Thank for your reply.

    I world like Log on to function becouse i think it more than easy to apply

    I can add computer name of local computer in to Log On To... => It work fine

    But when i add hostname's server (Linux server, run some website authen via LDAP config) => user domain still can't login our website :(

    Do you have any idea ?

    Tuesday, September 8, 2020 2:11 AM
  • Hi,

    hunt for failed logon events on the DCs and look for the exact source names. If memory serves, you may want to put the DCs on the list.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    • Marked as answer by mr_sudo Tuesday, September 8, 2020 9:32 AM
    Tuesday, September 8, 2020 5:25 AM
  • Hi,

    hunt for failed logon events on the DCs and look for the exact source names. If memory serves, you may want to put the DCs on the list.


    Evgenij Smirnov

    Thanks,

    You are my sun shine :D

    Only need add Computer name of Domain controller to "Log on to.." => It done

    But after that, i afraid nomal user can logon to my Domain controller via RDP :(

    Tuesday, September 8, 2020 9:32 AM
  • But after that, i afraid nomal user can logon to my Domain controller via RDP :(

    Nope, as long as they are not Domain Admins or Printer Operators, they can't.

    Evgenij Smirnov

    http://evgenij.smirnov.de

    Tuesday, September 8, 2020 12:02 PM
  • But after that, i afraid nomal user can logon to my Domain controller via RDP :(

    Nope, as long as they are not Domain Admins or Printer Operators, they can't.

    Evgenij Smirnov

    Thank for information!

    Love you :D

    Wednesday, September 9, 2020 8:31 AM