quick and easy centralized access control list?
September 27, 2007 4:44 AM   Subscribe

windowsXP logon restriction question: We have a small public computer room with about 15 computers where we only want certain people to be able to log into and use the computers. What is the easiest way to administer who has access to them?

One obvious solution is to create a power user account, and hand out that password to the valid users of the computers.
We dont want to do that because its not very secure, tho we may have to do that in the end.

Wondering if there is a better way in WinXP to keep a list of valid users, without having to enter (and update and administer) that list individually on EACH computer.

Is there a centralized way to do that? Where the administrator can keep a list of usernames (and initial passwords) in a central location, and the computers remotely check in on that list when a user logs on, before giving the user access?

The solution would be preferably free, or nothing too expensive (up to 50 bucks or so is okay).
posted by jak68 to Computers & Internet (10 answers total) 2 users marked this as a favorite
 
"Is there a centralized way to do that? Where the administrator can keep a list of usernames (and initial passwords) in a central location, and the computers remotely check in on that list when a user logs on, before giving the user access?"

Yup. Windows Server 2003. It's a lot more than $50, though, and you'd need to run it on its own server PC. But you also get the benefit of being able to specify very fine-tuned restrictions for specific user accounts or computers which is quite handy. There is (very deliberately) no other supported method of having a centralized login database in WinXP.

There might be free/cheap solutions that approximate parts of this, but I'm not aware of any. You can get Linux and SAMBA to act as a Windows NT4-style domain controller, but I don't think WinXP plays nicely with that.

What are these computers used for, and what are the security concerns you're trying to address by restricting logins? There might be other ways of addressing those concerns.
posted by CrayDrygu at 5:00 AM on September 27, 2007


Seconding Server 2003. It's going to cost money, but there's really no other way to do it (either reliably or legally). Really, though, it'll be money well spent, because the level of control will be as granular as you want it to be.
posted by omnipotentq at 5:01 AM on September 27, 2007


You want to run what are generically called "directory services", which allow centralized management of authentication (usernames and passwords) and authorization (what level of access that account has), among other features.

To do this for free, you have a central machine (a "server" running Linux) running Samba (what is Samba?) as a domain controller. You set up your computer room stations as domain clients which use the domain controller as your source of directory information. You also set up domain users who can access the clients.

If you need to do this under Windows, you'd need to spend a fair amount of money on Windows Server 2003 and 15 client licenses, setting up Active Directory services. Configuration is also pretty complex.
posted by Blazecock Pileon at 5:05 AM on September 27, 2007


By complex, I mean that you don't want to run an Active Directory server unless you also have control over your organization's DNS service.
posted by Blazecock Pileon at 5:33 AM on September 27, 2007


everyone, thanks for the information about domain controllers (whether samba or windows server) and what that involves.

hi craydrygu,
"What are these computers used for, and what are the security concerns you're trying to address by restricting logins? There might be other ways of addressing those concerns"

These are regular computers in a computer lab, pretty much wide open for use. Its just that they're being used by 'the public' and we want to limit their use to people in the office.
posted by jak68 at 6:20 AM on September 27, 2007


There's a limited version of Windows Server called "Windows Small Business Server" (Windows SBS). It may be cheaper than a full-blown copy of 2003 Standard.

However, if this is an academic environment, MSFT has pretty attractive academic pricing for Windows server - check with your bookstore or whoever handles the software sales on campus.
posted by GuyZero at 8:30 AM on September 27, 2007


@jak68: "These are regular computers in a computer lab, pretty much wide open for use. Its just that they're being used by 'the public' and we want to limit their use to people in the office."

There's a few ways of going about this. If the computers are used for more than just Internet access, look into some of the systems used by "Cyber Cafes" to control access. The software and/or hardware probably won't be $50, but it'll likely be less than Windows Server. I have no idea how well it works, but as an example, Easy Cafe for 15 PCs would run you about $550. Compare to Windows Server 2003 Small Business with 15 CALs, for $1500-2000 plus a PC to run it on.

On the other hand, if they are only used for Internet access, you could set up a proxy server they would all have to go through, and force your users to give a username/password to that server. It's usually called a "captive portal," and it's how wifi hotspots are usually set up. This can be done entirely with free software, but you'll need to find someone who knows what they're doing to set it up.
posted by CrayDrygu at 9:13 AM on September 27, 2007


If you want to restrict what the computers do, take a look into Windows SteadyState. It's free.
posted by ALongDecember at 11:49 AM on September 27, 2007


thanks for the ideas. I guess we have to think about what we want exactly. (maybe just a combination lock on the door ;)
windows steadystate looks good, though I think they actually want an access control list.
posted by jak68 at 2:35 PM on September 27, 2007


You could have all the machines set up with userids/passwords & have VNC running. That way you could remotely log in to change passwords regularly.
posted by theora55 at 4:13 PM on September 27, 2007


« Older Is there anywhere to look at Pella replacement...   |   This is my brain. This is my brain on carbs. Newer »
This thread is closed to new comments.