Sp0cky
asked on
Ok, I just BLEW up my server after trying to set a policy so that reg users cannot logon.
Can anyone tell me how to prevent certain users in a group from logging on but NOT apply that policy to the admins or domain admins? I thought if you for example open the default domain policy->click "deny logon locally," and add a group like "restricted users" and put all the users desired in that group then the policy will only apply to those users. It seems I like I applied this rule to myself as an admian as well!! I had to restore to a tape from 2 days ago. EEk!
AlexanderR
Admin is also a part of the "users" group, like ALL other accounts, thats how it got locked out. So make sure that you group the users you want to disable to log on, in some other way. But DON"T remove admin from the users group.
ASKER
I removed admin from the domain/users group..maybe that's why I got locked out. Anyone for any more idea of how to configure this? Thanks.
ASKER
Ok, I think this is solved. What you need to do according to the text is Select "Apply Group Policy" check box in the "DENY" column of the particular domain security policy properties->security tab setting. Anyone for a confirm?
In my opinion, create a group where you would be able to add or renove users; and name it 'Locked' and than add that group to the 'Log on Locally' policy. This will enable you a much more easier managability...
As for what you just did... looks OK to me...
Cyber
As for what you just did... looks OK to me...
Cyber
Why not just edit the "Log On Locally" Policy on the server to only include users in the administrators group, and maybe the web server users or other services you have installed on the machine?
By explicity removing their right to log on, you implicity deny them the right. Plus you don't blow up that admin acct and have to use the time machine from hell...aka tape. ;^)
FYI, you can also do that with network access and Terminal service access as well. It's always safer to exlcude premission than to deny it.
--Serp
By explicity removing their right to log on, you implicity deny them the right. Plus you don't blow up that admin acct and have to use the time machine from hell...aka tape. ;^)
FYI, you can also do that with network access and Terminal service access as well. It's always safer to exlcude premission than to deny it.
--Serp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.