Solved

Ok, I just BLEW up my server after trying to set a policy so that reg users cannot logon.

Posted on 2004-08-06
6
142 Views
Last Modified: 2010-04-11
Can anyone tell me how to prevent certain users in a group from logging on but NOT apply that policy to the admins or domain admins?  I thought if you for example open the default domain policy->click "deny logon locally," and add a group like "restricted users" and put all the users desired in that group then the policy will only apply to those users. It seems I like I applied this rule to myself as an admian as well!!  I had to restore to a tape from 2 days ago.  EEk!
0
Comment
Question by:Sp0cky
6 Comments
 
LVL 11

Expert Comment

by:AlexanderR
ID: 11740232
Admin is also a part of the "users" group, like ALL other accounts, thats how it got locked out.  So make sure that you group the users you want to disable to log on, in some other way.  But DON"T remove admin from the users group.
0
 

Author Comment

by:Sp0cky
ID: 11740490
I removed admin from the domain/users group..maybe that's why I got locked out.  Anyone for any more idea of how to configure this?  Thanks.
0
 

Author Comment

by:Sp0cky
ID: 11744304
Ok, I think this is solved.  What you need to do according to the text is Select "Apply Group Policy" check box in the "DENY" column of the particular domain security policy properties->security tab setting.  Anyone for a confirm?
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11745702
In my opinion, create a group where you would be able to add or renove users; and name it 'Locked' and than add that group to the 'Log on Locally' policy. This will enable you a much more easier managability...

As for what you just did... looks OK to me...

Cyber
0
 
LVL 1

Expert Comment

by:Serpent77
ID: 11835194
Why not just edit the "Log On Locally" Policy on the server to only include users in the administrators group, and maybe the web server users or other services you have installed on the machine?  

By explicity removing their right to log on, you implicity deny them the right.  Plus you don't blow up that admin acct and have to use the time machine from hell...aka tape.  ;^)

FYI, you can also do that with network access and Terminal service access as well.  It's always safer to exlcude premission than to deny it.  

--Serp
0
 
LVL 7

Accepted Solution

by:
katacombz earned 400 total points
ID: 11845120
I agree with Comment from Sp0cky
Date: 08/07/2004 01:41PM PDT
 

edit the secuirty on the gpo and deny read access to the admins, this will prevent the policy from applying to them.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Using Outlook for iOS securely 2 55
Domain admin accounts get locked out 35 88
Palo Alto Networks - find the sec zone 3 66
ASP server side get value 15 39
OnPage: Incident management and secure messaging on your smartphone
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question