How to deny log on locally

Discussion in 'Active Directory' started by youssef, Feb 13, 2006.

  1. youssef

    youssef Guest

    hi every one
    i have two questions :
    1. How can i prevent users in OU from log on to their local machines by
    using group policy ?
    2. If a user wants to log on locally to his machine without logoning to the
    domain how can i control or apply a policy to to his local machine .
    thank you
    youssef, Feb 13, 2006
    1. Advertisements

  2. youssef

    Cary Shultz Guest


    There is an easy way to make this happen. You are correct in that you can
    do this via GPO.

    Look at the 'Deny logon locally'. Here is an article.

    The concept here is the same as what you want to accomplish. Well, the
    first part. The second part is something that I would strongly suggest that
    you re-think. There is no reason for domain users to log on locally
    (meaning, that instead of logging on with his/her Domain user account object
    he/she logs on local to such and such a machine with a local user account).

    Consider this example for a second!

    You have four departments in your environment: Finance, Accounting,
    Marketing/Sales and Customer Service.

    Let's just say that you do not want anyone from Customer Service to be able
    to log on to any of the machines in the Finance department or in the
    Accounting department. So, you do this:

    You create four OUs for the different computers: one called Finance
    Workstations, one called Accounting Workstations, one called MKTG/Sales
    Workstations and one called CS Workstations. You place all of the computer
    account objects from the Finance department in the Finance Workstations OU,
    all of the computer account objects from the Accounting department in the
    Accounting Workstations OU, etc. You already have four security groups in
    place (one for the Finance guys, one for the Accounting guys, one for the
    Marketing/Sales guys and one for the CS guys) and we are going to use them.
    Well, one of them.

    Go to the Finance Workstations OU and create a GPO. See the article for the
    who,what, where and how. You will use the Customer Service Security Group -
    that already existed - in this GPO.

    Reboot the systems. Now, try to log on to the domain using one of the user
    account objects from a Customer Service user. It will not work. You will
    get a message stating something to the effect that this user account object
    is not allowed to logon....

    But, I am not sure that this is what you mean....

    If you are asking with #1 how do you prevent users from logging on to a
    machine locally (meaning, using a local user account) then I am not sure how
    you prevent this, other than making sure that they do not know what the
    local Administrator password is so that they can not log on as that and then
    create their own local user account. Also, making sure that their domain
    user account object is not part of the local Administrators group......

    If that is the case then consider using another GPO to change this. Look at
    Restricted Groups. This is a pretty restrictive Policy and if you do use
    this (should it apply) be aware that the default behavior is to flush the
    members of the current "focus group" - in this case, the local
    Administrators group - and to replace the membership with whatever
    users/groups you specify. You want to remember to include as one of the
    groups the Domain Admins group. Otherwise you are creating a potential
    nightmare for yourself.
    Cary Shultz, Feb 13, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.