Deny Log on Locally to some accounts through GPO

We have a lot of application accounts (for enabling applications to
authenticate users through AD or pulling users from AD....these accounts do
NOT run as service....these can be treated as normal user accounts for which
we want to disable interactive logon).

We have seen that some people who have access to these application accounts,
logon to servers using these accounts.
We want to stop that.
In order to achieve this
we have created an OU "Application Accounts" and put all the application
accounts in this OU.
We also created a GPO named "Disable RDP Application Accounts".
I modified these settings in this GPO to achieve my goal (application
accounts should not be able to logon interactively)

GPO Setting
Deny log on locally
Deny log on through Terminal Services

In both the policies I have added the group that contains application
accounts. But with these accounts I am still able to logon locally and
terminal service in which I don't want.

Here are gpresults

C:\Documents and Settings\svc_exch>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/7/2008 at 11:28:05 AM


RSOP results for ROOT\svc_exch on ROOTCLIENT1 : Logging Mode
-------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: ROOT
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\svc_exch
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=ROOTCLIENT1,OU=WPA Computers,DC=root,DC=local
Last time Group Policy was applied: 11/7/2008 at 11:27:25 AM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
WiFi Protected Access
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
ROOTCLIENT1$
Domain Computers


USER SETTINGS
--------------
CN=svc_exch,OU=Application Accounts,DC=root,DC=local
Last time Group Policy was applied: 11/7/2008 at 11:27:28 AM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL

If you notice under User Settings

" The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Not Applied (Empty)"

Why is this happening. The GPO has both the policies defined with the
account added.
Under GPO security filtering also I have the account added.

Am I doing something incorrect? or It cannot be achieved.

Any Help will be appreciated

Thanks
Ravs

 

Ravs,
Both GP settings you refer to are part of the Computer (ather than User)
Configuration - so they need to be linked to the OU where target computer
accounts reside (rather than the "Application Accounts" users)...

hth
Marcin

 

The policy is under computer settings but it says

Deny log on locally

This security setting determines which users are prevented from logging on
at the computer. This policy setting supersedes the Allow log on locally
policy setting if an account is subject to both policies.

Default: None.

Important:
If you apply this security policy to the Everyone group, no one will be able
to log on locally


Deny log on through Terminal Services

This security setting determines which users and groups are prohibited from
logging on as a Terminal Services client.

Default: None.

Important:
This setting does not have any effect on Windows 2000 computers that have
not been updated to Service Pack 2.

So it appears to me these policies apply to users and not computers based on
the description.
I may be wrong though. Now if I agree with you and apply these policies to
the computers that does not make sense to me.

Please suggest.

Much appreciated
thanks
Ravs

 

These are Computer Policies, put one test machine in "Application Account" OU
and reboot the box. Then try login to Test machine it will work.

If that works then consider linking "RDP Applicaiton Accounts" GPO at Domain
Level so that it flows to all the machines in the domain.


Never tried but you can check what happens if you check the check box "Smart
Card is required for interactive logon" under User properties in AD under
Account Tab under Account Options...


Regards,
ProADGuy

 

Ravs,
if you want to have these GP settings to take effect, you need to:
- specify target user accounts as part of the individual GP settings (which
you already have done)
- link the GPO containing these settings to an OU where the target computer
accounts reside (which you haven't done yet)

hth
Marcin

 

Marcin and ProADguy,

Thanks for your suggestions,

I have done what you guys suggested. Here is the gpresult

C:\Documents and Settings\svc_exch>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/10/2008 at 1:24:26 PM


RSOP data for ROOT\svc_exch on NLB1 : Logging Mode
---------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise
Edi
tion
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Remote Administration
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and Settings\svc_exch
Connected over a slow link?: No


USER SETTINGS
--------------
CN=svc_exch,OU=Application Accounts,DC=root,DC=local
Last time Group Policy was applied: 11/10/2008 at 1:23:58 PM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps
Domain Name: ROOT
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Denied (Security)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL


I am getting denied (Security) as you guys can see.

Here are GPO settings

Links
Location Enforced Link Status Path
Application Accounts No Enabled root.local/Application
Accounts
Member Servers No Enabled root.local/Member
Servers

This list only includes links in the domain of the GPO.

Security Filtering
The settings in this GPO can only apply to the following groups, users, and
computers:Name
ROOT\App Accounts
ROOT\NLB1$

app accounts is the group containing these accounts and NLB1 is one of the
member servers that I am testing with.

Both of these have Read and Apply group Policy permissions.

Is something incorrect here.

Please suggest.

thanks
Ravs