Restricting logon to Vista by Active Directory group membership RRS feed

  • Question


    I'm looking to restrict users from logging on to a Vista computer if they are not a member of a specific AD group. I'm a little unsure of where this functionality belongs - I've read the Credential Provider Technical Reference (is the one dated 2006 still current?) and it states that CPs are not enforcement mechanisms, but it seems to be a convenient place to do this. I guess the other place would be in an Authentication Package - I haven't looked into how to develop the authentication peice - most of my research has been on the credential providers.

    I'm considering wrapping the Microsoft in-box provider, checking the group membership, then passing the credentials to the in-box provider if they meet the membership criteria (and logon time criteria), or dropping back to logon screen if they don't.

    I'm not a very strong C++ programmer and venturing down the Credential Provider, or Authentication Package development path is a little daunting, so if anyone can provide any assistance (compiled DLL, source code, hints or tips, admonition to "not even bother!") I'd certainly appreciate it.  

    I'd even go for a commercial application if I could find one (searched, but haven't found what I'm looking for)!


    This is a University computer lab setting, so wrapping a credential provider shouldn't be a problem.  I control the machines completly.  We are running Vista in a domain environment, and I'm looking to stop users who aren't in the Business College from logging in during a specified time period on a set of computers that are in a specific OU (the group and time period would ideally be set via Group Policies on my Lab OU).  If they aren't in the group they are only allowed to logon outside the specified hours. 


    Wednesday, November 12, 2008 10:28 PM

All replies

  • That functionality already exists in the OS:

    Open secpol.msc. Navigate to Local Policies -> User rights assignment -> Allow Log locally

    It contains the list of users/groups that can logon interactively. Be cautious with that setting...






    Friday, December 5, 2008 11:55 PM
  • Thanks for the reply!  I'm aware of that feature, but I'm not sure it's really what I want.
    First, I'd like a notice to the user that the reason they have been restricted is due to the fact that they aren't enrolled in the business college.  And second, our restrictions are dependant on the time and date, as well as on the AD group.  For example, during the normal semester we allow all students to log on anytime of the day except between 11:00am and 5:00pm on monday through thursday.  We also change these to other hours during diffenernt times of the year.
    Friday, December 12, 2008 8:58 PM