NT4 and Locking Down Users

OK .. background is that we have an NT4 domain with several external trusts that connect to us for using certain resources.

One of these is web access. Each trust (and other sites that don't have a trust) are given an NT4 User ID and password to authorise against our resource - in this case a caching only ISA Server.

We now need to make sure that User A from Site A can not go to Site B and user his credentials from A to logon at B.

Is there a way to do this, because I can't think of one right now? Using either add-ins, ISA or NT4 itself.

Thanks .... :confused:

You can deny them the ability to log in at any workstations... I think NT's user manager allows you to say which workstations they can log on at... and you can specify NO workstations. I don't have a copy of User Manager right now

Or you can use a domain policy to deny a group the right to log in locally (interactively.) And put all these people in a certain group.

They may still be able to connect to shares but you can restrict that too.

I don't think ISA server requires accounts to have the right to log in locally but I've never looked... if so, just enable it for that server (since its probably locked in a room anyway.)

If you want to lock down users, what you need to do is open up your User Manager (Start Button/Programs/Administrative Tools/User Manager) and look at the bottom of the box that appears. It should give you about 5 groups; Administrator, Guest, Backup Operators, Replicators and Users.

As you wish to admin each user, just bring up their account and click edit, which should give you a wide range of options right down to locking out the account altogether.

I'm not sure how you would work this, but I run NT Server and I have NT4 Workstation SP1 on all of my base machines...