Solved

Ok, I just BLEW up my server after trying to set a policy so that reg users cannot logon.

Posted on 2004-08-06
6
144 Views
Last Modified: 2010-04-11
Can anyone tell me how to prevent certain users in a group from logging on but NOT apply that policy to the admins or domain admins?  I thought if you for example open the default domain policy->click "deny logon locally," and add a group like "restricted users" and put all the users desired in that group then the policy will only apply to those users. It seems I like I applied this rule to myself as an admian as well!!  I had to restore to a tape from 2 days ago.  EEk!
0
Comment
Question by:Sp0cky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:AlexanderR
ID: 11740232
Admin is also a part of the "users" group, like ALL other accounts, thats how it got locked out.  So make sure that you group the users you want to disable to log on, in some other way.  But DON"T remove admin from the users group.
0
 

Author Comment

by:Sp0cky
ID: 11740490
I removed admin from the domain/users group..maybe that's why I got locked out.  Anyone for any more idea of how to configure this?  Thanks.
0
 

Author Comment

by:Sp0cky
ID: 11744304
Ok, I think this is solved.  What you need to do according to the text is Select "Apply Group Policy" check box in the "DENY" column of the particular domain security policy properties->security tab setting.  Anyone for a confirm?
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11745702
In my opinion, create a group where you would be able to add or renove users; and name it 'Locked' and than add that group to the 'Log on Locally' policy. This will enable you a much more easier managability...

As for what you just did... looks OK to me...

Cyber
0
 
LVL 1

Expert Comment

by:Serpent77
ID: 11835194
Why not just edit the "Log On Locally" Policy on the server to only include users in the administrators group, and maybe the web server users or other services you have installed on the machine?  

By explicity removing their right to log on, you implicity deny them the right.  Plus you don't blow up that admin acct and have to use the time machine from hell...aka tape.  ;^)

FYI, you can also do that with network access and Terminal service access as well.  It's always safer to exlcude premission than to deny it.  

--Serp
0
 
LVL 7

Accepted Solution

by:
katacombz earned 400 total points
ID: 11845120
I agree with Comment from Sp0cky
Date: 08/07/2004 01:41PM PDT
 

edit the secuirty on the gpo and deny read access to the admins, this will prevent the policy from applying to them.
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Ready for our next Course of the Month? Here's what's on tap for June.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question