Deny Log on Locally to some accounts through GPO

Discussion in 'Active Directory' started by Ravs, Nov 7, 2008.

  1. Ravs

    Ravs Guest

    We have a lot of application accounts (for enabling applications to
    authenticate users through AD or pulling users from AD....these accounts do
    NOT run as service....these can be treated as normal user accounts for which
    we want to disable interactive logon).

    We have seen that some people who have access to these application accounts,
    logon to servers using these accounts.
    We want to stop that.
    In order to achieve this
    we have created an OU "Application Accounts" and put all the application
    accounts in this OU.
    We also created a GPO named "Disable RDP Application Accounts".
    I modified these settings in this GPO to achieve my goal (application
    accounts should not be able to logon interactively)

    GPO Setting
    Deny log on locally
    Deny log on through Terminal Services

    In both the policies I have added the group that contains application
    accounts. But with these accounts I am still able to logon locally and
    terminal service in which I don't want.

    Here are gpresults

    C:\Documents and Settings\svc_exch>gpresult

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 11/7/2008 at 11:28:05 AM


    RSOP results for ROOT\svc_exch on ROOTCLIENT1 : Logging Mode
    -------------------------------------------------------------

    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: ROOT
    Domain Type: Windows 2000
    Site Name: Default-First-Site-Name
    Roaming Profile:
    Local Profile: C:\Documents and Settings\svc_exch
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=ROOTCLIENT1,OU=WPA Computers,DC=root,DC=local
    Last time Group Policy was applied: 11/7/2008 at 11:27:25 AM
    Group Policy was applied from: rootdc1.root.local
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    WiFi Protected Access
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    ROOTCLIENT1$
    Domain Computers


    USER SETTINGS
    --------------
    CN=svc_exch,OU=Application Accounts,DC=root,DC=local
    Last time Group Policy was applied: 11/7/2008 at 11:27:28 AM
    Group Policy was applied from: rootdc1.root.local
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Disable RDP Application Accounts
    Filtering: Not Applied (Empty)

    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    LOCAL

    If you notice under User Settings

    " The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Disable RDP Application Accounts
    Filtering: Not Applied (Empty)"

    Why is this happening. The GPO has both the policies defined with the
    account added.
    Under GPO security filtering also I have the account added.

    Am I doing something incorrect? or It cannot be achieved.

    Any Help will be appreciated

    Thanks
    Ravs
     
    Ravs, Nov 7, 2008
    #1
    1. Advertisements

  2. Ravs

    Marcin Guest

    Ravs,
    Both GP settings you refer to are part of the Computer (ather than User)
    Configuration - so they need to be linked to the OU where target computer
    accounts reside (rather than the "Application Accounts" users)...

    hth
    Marcin
     
    Marcin, Nov 7, 2008
    #2
    1. Advertisements

  3. Ravs

    Ravs Guest

    The policy is under computer settings but it says

    Deny log on locally

    This security setting determines which users are prevented from logging on
    at the computer. This policy setting supersedes the Allow log on locally
    policy setting if an account is subject to both policies.

    Default: None.

    Important:
    If you apply this security policy to the Everyone group, no one will be able
    to log on locally


    Deny log on through Terminal Services

    This security setting determines which users and groups are prohibited from
    logging on as a Terminal Services client.

    Default: None.

    Important:
    This setting does not have any effect on Windows 2000 computers that have
    not been updated to Service Pack 2.

    So it appears to me these policies apply to users and not computers based on
    the description.
    I may be wrong though. Now if I agree with you and apply these policies to
    the computers that does not make sense to me.

    Please suggest.

    Much appreciated
    thanks
    Ravs
     
    Ravs, Nov 7, 2008
    #3
  4. Ravs

    ProADGuy Guest

    These are Computer Policies, put one test machine in "Application Account" OU
    and reboot the box. Then try login to Test machine it will work.

    If that works then consider linking "RDP Applicaiton Accounts" GPO at Domain
    Level so that it flows to all the machines in the domain.

    :)
    Never tried but you can check what happens if you check the check box "Smart
    Card is required for interactive logon" under User properties in AD under
    Account Tab under Account Options...


    Regards,
    ProADGuy
     
    ProADGuy, Nov 7, 2008
    #4
  5. Ravs

    Marcin Guest

    Ravs,
    if you want to have these GP settings to take effect, you need to:
    - specify target user accounts as part of the individual GP settings (which
    you already have done)
    - link the GPO containing these settings to an OU where the target computer
    accounts reside (which you haven't done yet)

    hth
    Marcin
     
    Marcin, Nov 7, 2008
    #5
  6. Ravs

    Ravs Guest

    Marcin and ProADguy,

    Thanks for your suggestions,

    I have done what you guys suggested. Here is the gpresult

    C:\Documents and Settings\svc_exch>gpresult

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 11/10/2008 at 1:24:26 PM


    RSOP data for ROOT\svc_exch on NLB1 : Logging Mode
    ---------------------------------------------------

    OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise
    Edi
    tion
    OS Configuration: Member Server
    OS Version: 5.2.3790
    Terminal Server Mode: Remote Administration
    Site Name: N/A
    Roaming Profile:
    Local Profile: C:\Documents and Settings\svc_exch
    Connected over a slow link?: No


    USER SETTINGS
    --------------
    CN=svc_exch,OU=Application Accounts,DC=root,DC=local
    Last time Group Policy was applied: 11/10/2008 at 1:23:58 PM
    Group Policy was applied from: rootdc1.root.local
    Group Policy slow link threshold: 500 kbps
    Domain Name: ROOT
    Domain Type: Windows 2000

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Disable RDP Application Accounts
    Filtering: Denied (Security)

    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    This Organization
    LOCAL


    I am getting denied (Security) as you guys can see.

    Here are GPO settings

    Links
    Location Enforced Link Status Path
    Application Accounts No Enabled root.local/Application
    Accounts
    Member Servers No Enabled root.local/Member
    Servers

    This list only includes links in the domain of the GPO.

    Security Filtering
    The settings in this GPO can only apply to the following groups, users, and
    computers:Name
    ROOT\App Accounts
    ROOT\NLB1$

    app accounts is the group containing these accounts and NLB1 is one of the
    member servers that I am testing with.

    Both of these have Read and Apply group Policy permissions.

    Is something incorrect here.

    Please suggest.

    thanks
    Ravs
     
    Ravs, Nov 10, 2008
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.