Do not allow local access to an account without disabling

All accounts used only for LAN access to shared resources should be explicitly configured to do so. To do this, just a few clicks.

Anyone who has set up a local area network (LAN) between Windows PC knows that in order to enable file and printer sharing, you must create a user account protected by password on each workstation. The same credentials must then be entered at the same time attempting to use a resource shared by another computer.

In domestic situations, this translates into the creation of a fictitious user (external, remote, retelocale, utentelan are the favorite names) which is then used by all other stations.

It works perfectly, but for one small but important detail: By default, this new account can also be used to log on locally

I'll then find yourself in the Welcome screen, and if you had been so careless assigned him by the administrator, can even be used to execute commands from the LAN, or take control via Remote Desktop.

In short: if the only purpose for which there is a certain account is to allow others access to your PC via LAN resources, explicitly configure the operating system may therefore be a good idea, especially if you you found to participate in local networks large enough.

The procedure is quite simple, but requires Windows XP Professional, Windows Vista Business / Ultimate / Enterprise or Windows 7 Professional / Ultimate / Enterprise.

In other words, the editions "Starter" and "Home" are not supported.

Set the limit

We will work with the utility system the Local Group Policy Editor. To start this tool, select Start -> Run (see the article "Restoring" Run "command in Windows Vista and Windows 7" in case you do not see this item) and then given gpedit.msc .

At this point, follow this path: Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment .

Find the entry Deny log on locally in the right section and let double-clicking. You will notice that, by default, the user Guest is already present.

From the dialog box, click the Add User or Group ....

Enter the name of the user to inhibit in the text field, then press Check Names and finally OK .

For maximum safety, repeat this step to add the name of the same account even Deny logon as a batch job and Deny logon as a service .

The result

Close the session to see the result. Not only the account is no longer present at the welcome screen ...

... but, even if it were possible to reach the screen to log-in "classic" ...

... any attempt to log on using that user will generate an error

Access to network resources, on the contrary, continue to operate as usual.

See Pictures and Read more : Do not allow local access to an account without disabling