Solved

Ok, I just BLEW up my server after trying to set a policy so that reg users cannot logon.

Posted on 2004-08-06
6
143 Views
Last Modified: 2010-04-11
Can anyone tell me how to prevent certain users in a group from logging on but NOT apply that policy to the admins or domain admins?  I thought if you for example open the default domain policy->click "deny logon locally," and add a group like "restricted users" and put all the users desired in that group then the policy will only apply to those users. It seems I like I applied this rule to myself as an admian as well!!  I had to restore to a tape from 2 days ago.  EEk!
0
Comment
Question by:Sp0cky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:AlexanderR
ID: 11740232
Admin is also a part of the "users" group, like ALL other accounts, thats how it got locked out.  So make sure that you group the users you want to disable to log on, in some other way.  But DON"T remove admin from the users group.
0
 

Author Comment

by:Sp0cky
ID: 11740490
I removed admin from the domain/users group..maybe that's why I got locked out.  Anyone for any more idea of how to configure this?  Thanks.
0
 

Author Comment

by:Sp0cky
ID: 11744304
Ok, I think this is solved.  What you need to do according to the text is Select "Apply Group Policy" check box in the "DENY" column of the particular domain security policy properties->security tab setting.  Anyone for a confirm?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11745702
In my opinion, create a group where you would be able to add or renove users; and name it 'Locked' and than add that group to the 'Log on Locally' policy. This will enable you a much more easier managability...

As for what you just did... looks OK to me...

Cyber
0
 
LVL 1

Expert Comment

by:Serpent77
ID: 11835194
Why not just edit the "Log On Locally" Policy on the server to only include users in the administrators group, and maybe the web server users or other services you have installed on the machine?  

By explicity removing their right to log on, you implicity deny them the right.  Plus you don't blow up that admin acct and have to use the time machine from hell...aka tape.  ;^)

FYI, you can also do that with network access and Terminal service access as well.  It's always safer to exlcude premission than to deny it.  

--Serp
0
 
LVL 7

Accepted Solution

by:
katacombz earned 400 total points
ID: 11845120
I agree with Comment from Sp0cky
Date: 08/07/2004 01:41PM PDT
 

edit the secuirty on the gpo and deny read access to the admins, this will prevent the policy from applying to them.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Barracuda WAF Training? 2 69
ransomware backup 8 135
IT pictures and movies to alert the staff 11 64
Better malware protection 9 48
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question