quick and easy centralized access control list?
September 27, 2007 4:44 AM   Subscribe

windowsXP logon restriction question: We have a small public computer room with about 15 computers where we only want certain people to be able to log into and use the computers. What is the easiest way to administer who has access to them?

One obvious solution is to create a power user account, and hand out that password to the valid users of the computers.
We dont want to do that because its not very secure, tho we may have to do that in the end.

Wondering if there is a better way in WinXP to keep a list of valid users, without having to enter (and update and administer) that list individually on EACH computer.

Is there a centralized way to do that? Where the administrator can keep a list of usernames (and initial passwords) in a central location, and the computers remotely check in on that list when a user logs on, before giving the user access?

The solution would be preferably free, or nothing too expensive (up to 50 bucks or so is okay).
posted by jak68 to Computers & Internet (8 answers total) 2 users marked this as a favorite
Seconding Server 2003. It's going to cost money, but there's really no other way to do it (either reliably or legally). Really, though, it'll be money well spent, because the level of control will be as granular as you want it to be.
posted by omnipotentq at 5:01 AM on September 27, 2007

Best answer: You want to run what are generically called "directory services", which allow centralized management of authentication (usernames and passwords) and authorization (what level of access that account has), among other features.

To do this for free, you have a central machine (a "server" running Linux) running Samba (what is Samba?) as a domain controller. You set up your computer room stations as domain clients which use the domain controller as your source of directory information. You also set up domain users who can access the clients.

If you need to do this under Windows, you'd need to spend a fair amount of money on Windows Server 2003 and 15 client licenses, setting up Active Directory services. Configuration is also pretty complex.
posted by Blazecock Pileon at 5:05 AM on September 27, 2007

By complex, I mean that you don't want to run an Active Directory server unless you also have control over your organization's DNS service.
posted by Blazecock Pileon at 5:33 AM on September 27, 2007

Response by poster: everyone, thanks for the information about domain controllers (whether samba or windows server) and what that involves.

hi craydrygu,
"What are these computers used for, and what are the security concerns you're trying to address by restricting logins? There might be other ways of addressing those concerns"

These are regular computers in a computer lab, pretty much wide open for use. Its just that they're being used by 'the public' and we want to limit their use to people in the office.
posted by jak68 at 6:20 AM on September 27, 2007

There's a limited version of Windows Server called "Windows Small Business Server" (Windows SBS). It may be cheaper than a full-blown copy of 2003 Standard.

However, if this is an academic environment, MSFT has pretty attractive academic pricing for Windows server - check with your bookstore or whoever handles the software sales on campus.
posted by GuyZero at 8:30 AM on September 27, 2007

Best answer: If you want to restrict what the computers do, take a look into Windows SteadyState. It's free.
posted by ALongDecember at 11:49 AM on September 27, 2007

Response by poster: thanks for the ideas. I guess we have to think about what we want exactly. (maybe just a combination lock on the door ;)
windows steadystate looks good, though I think they actually want an access control list.
posted by jak68 at 2:35 PM on September 27, 2007

You could have all the machines set up with userids/passwords & have VNC running. That way you could remotely log in to change passwords regularly.
posted by theora55 at 4:13 PM on September 27, 2007

« Older Is there anywhere to look at Pella replacement...   |   This is my brain. This is my brain on carbs. Newer »
This thread is closed to new comments.