Solved

Ok, I just BLEW up my server after trying to set a policy so that reg users cannot logon.

Posted on 2004-08-06
6
140 Views
Last Modified: 2010-04-11
Can anyone tell me how to prevent certain users in a group from logging on but NOT apply that policy to the admins or domain admins?  I thought if you for example open the default domain policy->click "deny logon locally," and add a group like "restricted users" and put all the users desired in that group then the policy will only apply to those users. It seems I like I applied this rule to myself as an admian as well!!  I had to restore to a tape from 2 days ago.  EEk!
0
Comment
Question by:Sp0cky
6 Comments
 
LVL 11

Expert Comment

by:AlexanderR
ID: 11740232
Admin is also a part of the "users" group, like ALL other accounts, thats how it got locked out.  So make sure that you group the users you want to disable to log on, in some other way.  But DON"T remove admin from the users group.
0
 

Author Comment

by:Sp0cky
ID: 11740490
I removed admin from the domain/users group..maybe that's why I got locked out.  Anyone for any more idea of how to configure this?  Thanks.
0
 

Author Comment

by:Sp0cky
ID: 11744304
Ok, I think this is solved.  What you need to do according to the text is Select "Apply Group Policy" check box in the "DENY" column of the particular domain security policy properties->security tab setting.  Anyone for a confirm?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11745702
In my opinion, create a group where you would be able to add or renove users; and name it 'Locked' and than add that group to the 'Log on Locally' policy. This will enable you a much more easier managability...

As for what you just did... looks OK to me...

Cyber
0
 
LVL 1

Expert Comment

by:Serpent77
ID: 11835194
Why not just edit the "Log On Locally" Policy on the server to only include users in the administrators group, and maybe the web server users or other services you have installed on the machine?  

By explicity removing their right to log on, you implicity deny them the right.  Plus you don't blow up that admin acct and have to use the time machine from hell...aka tape.  ;^)

FYI, you can also do that with network access and Terminal service access as well.  It's always safer to exlcude premission than to deny it.  

--Serp
0
 
LVL 7

Accepted Solution

by:
katacombz earned 400 total points
ID: 11845120
I agree with Comment from Sp0cky
Date: 08/07/2004 01:41PM PDT
 

edit the secuirty on the gpo and deny read access to the admins, this will prevent the policy from applying to them.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now