How to restrict AD User Login

As we all know, in the Windows Active Directory, Domain Users can log on to any Italian computer by default. How can this problem be prevented?

A common method is to set logon to user attributes in ADUC to specify the computer on which the user can log on. There is also the security settings in the client group policy | Local Policy | user permission assignment | "Local login" setting allows users and groups to log on to the computer. There is also concurrent login. We will not discuss this here. Microsoft has a limitlogon tool, which has never been used. At least I don't know where to start. It seems that there is a point in these methods, and you need to manually set the user's login attributes one by one. This will bring a lot of work for large environments. To this end, I propose the following method. The main idea is to create a domain group policy to add the most logged-on users on the computer to "Log on locally. But how can we solve this problem for different machines and users. My solution is to add a local user group to each client and add a group to the policy "Log on locally, add the users who have logged on to the client to the group. You can use a script to create a local group and add users to the group, thus solving the trouble of setting one by one.

I am not very familiar with scripts. Many of them are written with reference to other scripts. Maybe some of them are not perfect.

1. Create a local group

There are two methods: BAT script, VBS script, and start script.

1. BAT Method
Net localgroup LogonUser/add/comment: Allow local boarding

2. VBS
StrComputer = "."
Set objComputer = GetObject ("WinNT: //" & strComputer & ", computer ")
Set objGroup = objComputer. Create ("group", "LogonUser ")
ObjGroup. SetInfo

2. Find the most logged-on users on the client.

Generally, whoever uses the most machine to log on to the server is the most. How can we find this user? Login and login, right, review. So we have to enable the logon review in the Domain Policy. We only need to retrieve the most logs for successful login review. First, the first problem to be solved is how can I obtain the domain account I have logged on to this machine?

After each domain account logs in, a record is written in the Registry SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ ProfileList. The following subitem is their SID. I just need to read these SID. In turn, the user is investigated through SID.

Set oReg = GetObject ("winmgmts: {impersonationLevel = impersonate }! \\"&_
StrComputer & "\ root \ default: StdRegProv ")
StrKeyPath = "SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ ProfileList"
OReg. EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys
If left (subkey, 40) = "S-1-5-21-3417139075-3398302879-647143828" Then
'Compare SID, only count domain accounts. The above line is the first section of the domain user SID and should belong to the domain ID.

Set ob1_miservice = GetObject ("winmgmts: \" & strComputer & "\ root \ cimv2 ")
Set colItems = obw.miservice. ExecQuery _
("Select * from Win32_UserAccount Where LocalAccount = 'false' And SID = '" & subkey &"'")

For Each objItem in colItems
LogonTimes = CountLogon ("cotoso \" & objitem. Name)
The 'countlogon function counts the number of events that have been successfully reviewed in Event Logs/security.

Function CountLogon (Username)
StrComputer = "."
Set ob1_miservice = GetObject ("winmgmts: {(Security) }\\" & _ strComputer & "\ root \ cimv2 ")
Set colEvents = obw.miservice. ExecQuery
_ ("SELECT * FROM Win32_NTLogEvent WHERE LogFile = 'security' AND "&_
"EventCode = 528 AND User = '" & username & "'") 'count users with event 528
CountLogon = colEvents. Count end Function

1. Secret exposure of 25 big names in the IT field: non-original Windows names
2. 007. Ensure windows Security
3. Secret exposure of 25 big names in the IT field: non-original Windows names