jbreg
asked on
Deny Logon Locally to users in OU, not group
I have an OU created and want to be able to move users into that OU at which point certain restrictions will reply to them such as they will not be able to log on locally. I have created a GPO and linked it to this OU but it will not allow me to deny logon locally to everyone (which presumably would only be everyone in that OU). How can I acheive this without having to create a group and put the users in it, which defeats the point of the OU?
ASKER
Can you have a group in AD that is populated only with objects in an OU?
Not automatically that I know of. You could write a periodic script which you schedule or trigger manually using dsquery to pickup the group members or an OU and populate a group with them.. something like (syntax not checked)
dsquery -user -startnode ou=whatever,dc=domain,dc=i nternal | dsmod group -addmbr
Steve
dsquery -user -startnode ou=whatever,dc=domain,dc=i
Steve
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes but the problem here is he wanted it to happen just based on OU membership, ... which can't happen IMHO.
Sure it can, you can make an entire OU a member of that Security Group.
Jeff
TechSoEasy
Jeff
TechSoEasy
Manually with the right click option in ADUC... but automatically? Please let me know if so, will come in handy!
Steve
Steve
Further reference: http://technet2.microsoft.com/WindowsServer/en/library/1079c1ad-08ee-4429-88ee-1d287ab11b1d1033.mspx
Jeff
TechSoEasy
Jeff
TechSoEasy
This may be an easier method though: http://www.enterpriseitplanet.com/security/features/article.php/1497881
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
How do I make an entire OU part of a security group? I have tried via ADUC but can't seem to do do this and it does not appear to be answered in the links.
The Deny Logon Locally is a COMPUTER setting. In order for a GPO linked to an OU to affect anything at all the COMPUTER must be in the OU.
If you set it at the Domain level then you can use TSE's method adding users to this new Security Group - keep in mind, the GPO will put that restriction on ALL workstations since it's linked at the domain.
Dropping people into an OU and expecting them to be added to a Security Group is only something that can occur if you link another GPO to the OU running a logon script that adds the user to this Security Group. Also keep in mind that the first time they login they'll be added but the group membership isn't in the user's token until they log off and back on again.
What exactly are you attempting to do?
I think the only thing is to manually add the users to the Security Group - but it all depends on what you are trying to accomplish in the end.
If you set it at the Domain level then you can use TSE's method adding users to this new Security Group - keep in mind, the GPO will put that restriction on ALL workstations since it's linked at the domain.
Dropping people into an OU and expecting them to be added to a Security Group is only something that can occur if you link another GPO to the OU running a logon script that adds the user to this Security Group. Also keep in mind that the first time they login they'll be added but the group membership isn't in the user's token until they log off and back on again.
What exactly are you attempting to do?
I think the only thing is to manually add the users to the Security Group - but it all depends on what you are trying to accomplish in the end.
ASKER
Thanks Netman. I am trying to create an OU for terminated employees, so that when I am notified I put the user into this OU and it applies drastic restrictions. I don't want to disable the account because often the manager needs to review their inbox before the account is deleted. I would like to do something similar for accounts created for new users who have not yet started.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sounds good, I will use the group option.
Sorry I wasn't around to continue follow up on this one... was quite aware of how to do it with a group but you were asking for a way without one.... to which the answer was no. Never mind, you've got your answers now!
Steve
Steve
Windows settings \ security settings \ restricted groups
Add a new group called "Deny Logon"
etc.
But then reality kicked in and I realised that was fruitless. I can't think of any way of doing it without a group. Once you've got that assigning the user right is easy of course as you know.
A Deny logon locally to everyone would add it for ANYONE - for starters the settings apply to the Computers, not users.
Problem is of course OU's aren't security princicpals, something that was SO useful in Novell NDS...
Steve