Solved

Ok, I just BLEW up my server after trying to set a policy so that reg users cannot logon.

Posted on 2004-08-06
6
139 Views
Last Modified: 2010-04-11
Can anyone tell me how to prevent certain users in a group from logging on but NOT apply that policy to the admins or domain admins?  I thought if you for example open the default domain policy->click "deny logon locally," and add a group like "restricted users" and put all the users desired in that group then the policy will only apply to those users. It seems I like I applied this rule to myself as an admian as well!!  I had to restore to a tape from 2 days ago.  EEk!
0
Comment
Question by:Sp0cky
6 Comments
 
LVL 11

Expert Comment

by:AlexanderR
ID: 11740232
Admin is also a part of the "users" group, like ALL other accounts, thats how it got locked out.  So make sure that you group the users you want to disable to log on, in some other way.  But DON"T remove admin from the users group.
0
 

Author Comment

by:Sp0cky
ID: 11740490
I removed admin from the domain/users group..maybe that's why I got locked out.  Anyone for any more idea of how to configure this?  Thanks.
0
 

Author Comment

by:Sp0cky
ID: 11744304
Ok, I think this is solved.  What you need to do according to the text is Select "Apply Group Policy" check box in the "DENY" column of the particular domain security policy properties->security tab setting.  Anyone for a confirm?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11745702
In my opinion, create a group where you would be able to add or renove users; and name it 'Locked' and than add that group to the 'Log on Locally' policy. This will enable you a much more easier managability...

As for what you just did... looks OK to me...

Cyber
0
 
LVL 1

Expert Comment

by:Serpent77
ID: 11835194
Why not just edit the "Log On Locally" Policy on the server to only include users in the administrators group, and maybe the web server users or other services you have installed on the machine?  

By explicity removing their right to log on, you implicity deny them the right.  Plus you don't blow up that admin acct and have to use the time machine from hell...aka tape.  ;^)

FYI, you can also do that with network access and Terminal service access as well.  It's always safer to exlcude premission than to deny it.  

--Serp
0
 
LVL 7

Accepted Solution

by:
katacombz earned 400 total points
ID: 11845120
I agree with Comment from Sp0cky
Date: 08/07/2004 01:41PM PDT
 

edit the secuirty on the gpo and deny read access to the admins, this will prevent the policy from applying to them.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now