Solved

Restrict logon with Group Policy

Posted on 2004-03-22
8
2,249 Views
Last Modified: 2012-05-04
I have a Windows 2k domain with XP workstations.  I have one workstation that I want to restrict logon to one user, let's call him joe.  I would like to make this change on the server rather than on the client to make it easier to manage.
I created a new OU and placed the computer in that OU.  I then created a new group policy object for that OU and I defined the 'Log on Locally' to have just joe in the list.
I then when to the client machine and ran gpupdate and restarted.  I tried logging on with a different user(besides joe, and not an aministrator) and it still let me login.
I looked at the Local Security Policy on the client and it had inherited the correct settings from Active Directory - that is, Log On Locally had Administrators(which I guess is just thrown in by default) and Joe in the list.  I could tell that it had inherited because the icon was different and I was not able to update it.
So, even through only Administrators and Joe are in the list, it is still letting others logon.  The only way that I have found to keep other users out is to add them to the Deny Log On Locally but I don't want to use that because then I would have to modify that list every time I create a new user.
Also, I do not want to create a group that contains all users except Joe.
0
Comment
Question by:ErnieExpert
  • 3
  • 2
  • 2
8 Comments
 
LVL 7

Expert Comment

by:Isigow
ID: 10651995
Add 'Domain Users' to the Deny logon Locally list
That should remove all other users from the ability to logon, except that Joe has an exception already so he should still be able to.

Isi
0
 
LVL 2

Author Comment

by:ErnieExpert
ID: 10652035
no, that will not work because Deny permissions take precedense and since Joe is member of Domain Users, Joe would then be denied permission.
0
 
LVL 11

Expert Comment

by:kabaam
ID: 10654419
you may have a domain policy that is overriding this setting.
also check the permissions on the gpo for the computer OU.  joe needs read and apply


http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 2

Author Comment

by:ErnieExpert
ID: 10661353
The domain policy does not have anything defined for 'Log on Locally'  so I don't think that that is conflicting.
I checked the permissions and Authenticated Users have Read and apply permission

I ran gpresult on the workstation and it showed that it was in the new OU that I created for it.  It also reported that it was applying the group policy from the new OU so that confirms that it is applying it.

0
 
LVL 7

Accepted Solution

by:
Isigow earned 75 total points
ID: 10661502
Odd thing is, I just tried this on a 2k server and it worked fine, on an XP workstation it still allowed Domain Users in...
Anyone know of why XP (and possible 2k workstation) does this while server does not? (not a DC, just a standard server)

Isi
0
 
LVL 11

Assisted Solution

by:kabaam
kabaam earned 50 total points
ID: 10669178
you best bet maybe to edit the local policy on the machine. instead of the OU level.
this will ensure there are not any compatibility issues.

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
0
 
LVL 2

Author Comment

by:ErnieExpert
ID: 11143158
Thanks Isigow for taking the time to test this out.  I ran the same test and came out with the same results.  I tried kabaam's suggestion and that worked.  It did not exactly answer my request bacause I said that I wanted to be able to manage it from the server, however, this seems to be the best solution for now.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can't Make Laptop Computer Connect To Homegroup 33 61
2 LAN/WAN on One Server 2 57
AutoCad licenses 9 55
backup computers on Workgroup 10 47
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now