[Samba] restrict what users can log onto each workstation

Matt Skerritt matt.skerritt at agrav.net
Tue Dec 5 00:19:39 GMT 2006

On 04/12/2006, at 9:56 PM, Toni Casueps wrote:

> I have a Samba server with Windows XP clients, and roaming profiles  
> for every user. At this moment everyone can log onto any  
> workstation, but it shouldn't be like that: there are some  
> workstations where anyone can log into, but three of them should be  
> restricted to some specific users. I thought about making local  
> users for them, but we need all users to have roaming profiles, I  
> can't make local users expect for the Administrator account.
> Can this be done with Samba?

OK, it sounds like your samba server is a PDC, so I'll assume it is.  
This solution won't work if it's not (I don't think).

If I understand you correctly, you want these specific users to be  
able to log into any machine on the network (including the 3  
restricted ones), right? And you want everybody else to be able to  
log into all the machines except the 3 restricted ones? I'd probably  
do this by making a group which the specific users are all a member  
of (and nobody else), then go into the local security policies of the  
restricted workstations (Control Panel -> Administratrative Tools ->  
Local Security Policy), and modifyf the entries "Log on Locally" and  
"Deny logon locally" to suit (which will involve putting your new  
group into the "log on locally" policy, and removing "users" from it,  
and probably a few others as well).

Note: I haven't tested this method, it's just the way I'd try going  
about it if I was in your shoes. You can probably even set hte local  
security policies through System Policy if you use that - but you'll  
likely have to custom write your own policy template.

Matt Skerritt
matt.skerritt at agrav.net

More information about the samba mailing list