samba - May 2015 - Deny login for a specific user in a specific machine in a samba domain

Well, samba 3 can't act as AD DC, so I guess the only way I can achieve
this remotely is setting this in registry using a login script. How can I
set this in registry? There Isn't something that automates the creation of
scripts that change policies by registry?

Citando Marc Muehlfeld <mmuehlfeld at samba.org>:
> Hello Rodrigo,
>
> Am 19.05.2015 um 13:40 schrieb Rodrigo Abrantes Antunes:
>> PDC. I'm using samba 3, I need scripts to apply GPO?
>
> You need an AD DC, to use group policies. I'm pretty sure that you
can't
> do that in an NT4 domain with poledit, too.
>
> A workaround may be to deny the logon for this user in the machines
> local security policy:
> https://technet.microsoft.com/en-us/library/dd277395.aspx
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\User Rights Assignment -> Deny logon locally
>
> Regards,
> Marc
> --
> To unsubscribe from this list go to the following URL and read
> theinstructions:? https://lists.samba.org/mailman/options/samba
-- 
Rodrigo Abrantes Antunes
Instituto Federal Sul-rio-grandense

Am 20.05.2015 um 14:00 schrieb Rodrigo Abrantes Antunes:
>   Well, samba 3 can't act as AD DC, so I guess the only way I can
achieve
> this remotely is setting this in registry using a login script. How can I
> set this in registry? There Isn't something that automates the creation
of
> scripts that change policies by registry?
I'm pretty sure, this isn't a registry setting.

What's wrong with the way setting this locally once on a client? Or do 
you want to set this on hundred of machines?

Btw. if there's a way to set this via logonscript, then users need the 
permissions to change this. This means on the other side: Every user can 
remove this again and allow this user to login again...


Regards,
Marc

Another option in your case could be to use a logon script:

If your specific user (%username%) logs on from your specific workstation
(%computername%) the user will be logged off again (shutdown down /l).

Regards
Tim

Am 20. Mai 2015 14:00:20 MESZ, schrieb Rodrigo Abrantes Antunes
<rodrigoantunes at pelotas.ifsul.edu.br>:
>Well, samba 3 can't act as AD DC, so I guess the only way I can achieve
>this remotely is setting this in registry using a login script. How can
>I
>set this in registry? There Isn't something that automates the creation
>of
>scripts that change policies by registry?
>
>Citando Marc Muehlfeld <mmuehlfeld at samba.org>:
>
>> Hello Rodrigo,
>>
>> Am 19.05.2015 um 13:40 schrieb Rodrigo Abrantes Antunes:
>>> PDC. I'm using samba 3, I need scripts to apply GPO?
>>
>> You need an AD DC, to use group policies. I'm pretty sure that you
>can't
>> do that in an NT4 domain with poledit, too.
>>
>> A workaround may be to deny the logon for this user in the machines
>> local security policy:
>> https://technet.microsoft.com/en-us/library/dd277395.aspx
>> Computer Configuration\Windows Settings\Security Settings\Local
>> Policies\User Rights Assignment -> Deny logon locally
>>
>> Regards,
>> Marc
>> --
>> To unsubscribe from this list go to the following URL and read
>> theinstructions:? https://lists.samba.org/mailman/options/samba
>-- 
>Rodrigo Abrantes Antunes
>Instituto Federal Sul-rio-grandense
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

I need to set this on hundred of machines. I'm thinking to set this in
registry for the local computer using a script when the machine enters the
domain. Then the users will not be able to change the value.

Citando Marc Muehlfeld <mmuehlfeld at samba.org>:
> Am 20.05.2015 um 14:00 schrieb Rodrigo Abrantes Antunes:
>> Well, samba 3 can't act as AD DC, so I guess the only way I can
achieve
>> this remotely is setting this in registry using a login script. How can
I
>> set this in registry? There Isn't something that automates the
creation
>> of
>> scripts that change policies by registry?
>
> I'm pretty sure, this isn't a registry setting.
>
> What's wrong with the way setting this locally once on a client? Or do
> you want to set this on hundred of machines?
>
> Btw. if there's a way to set this via logonscript, then users need the
> permissions to change this. This means on the other side: Every user can
> remove this again and allow this user to login again...
>
> Regards,
> Marc
> --
> To unsubscribe from this list go to the following URL and read
> theinstructions:? https://lists.samba.org/mailman/options/samba
-- 
Rodrigo Abrantes Antunes
Instituto Federal Sul-rio-grandense