Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Deny local logon rights to domain user

Posted on 2004-11-01
6
Medium Priority
?
1,331 Views
Last Modified: 2011-10-03
I have 20 computers that are in their own OU on a 2003 Active Directory.

There are a couple of public accounts that I consider to be a security threat due to weak passwords...also my users seem to prefer to use these accounts rather than to bother remembering their own security credentials.

I've tried using the group policy management console to create a policy in that OU that adds those user names to the "Deny Local Logon" entry under Local Security / User Rights assignment.

When I look at the Settings report in GPMC, it tells me there are no defined settings in my GPO, yet when I go to Edit it, the setting is clearly there.  The policy is active, but those user accounts are still able to log on.  I'm very confused.  I've never seen a GPO behave like this before.

I could probably just go to each of these computers and add the setting locally, but that's a pain and if this works I'm going to apply the policy across the entire building and I don't have time to change a setting on a couple hundred computers.
0
Comment
Question by:mslunecka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 9

Accepted Solution

by:
blakogre earned 750 total points
ID: 12469935
I assume you created a GPO on the computer OU you moved all the computer accounts into?  You don't really say where the GPO is.

When you log in, what does gpresult /v show you, on one of the PCs, as that user?

If you try to modify a different setting: does it take effect?

Is there a higher level GPO applied with a no override setting?
0
 
LVL 6

Author Comment

by:mslunecka
ID: 12473444
Sorry, the GPO is linked at the same container the PCs are in.

When I look at the gpresult it tells me that the policy is not being enforced because of filtering.   I'm not sure why that would be, because Authenticated Users is set to apply the policy.  That works for every other computer config GPO I've ever written.

As for higher level GPOs, the default domain policy is the only one applied above it and it doesn't list any Deny Logon Locally settings that would override.

I've added an extra setting, but it still seems as though it isn't taking that option.  I'll go do some gpupdates in a bit and try again.
0
 
LVL 9

Expert Comment

by:blakogre
ID: 12473575
Ok: go to the group policy tab where you created the OU.  Highlight the GPO and click properties.  Ensure that "disable computer configuration settings" is NOT checked.

On the security tab, you want the PC accounts to have permission to read and apply the policy.  you can create a group and add the computer accounts into it.  by default computer accounts won't show: when you're in the tab to add them in, click the Object Types button and click "Computers".

I'd hope that one of these two would help resolve the issue.  Let me know.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:_anom_
ID: 12478466
I would just go ahead and open up the users' accounts in AD and go to the account tab and click the log on to... button.  In there, you can deny the user from logging on anywhere without messing around with group policy.

Cheers
0
 
LVL 6

Author Comment

by:mslunecka
ID: 12478586
anom, I wish that was an option.  Unfortunately that user account is in another administrators hands.  It gets extremely political around here when trying to interfere with another area's IT.  It is my personal opinion that this person is endangering a shared resource that many people use (our AD) by putting his users' convenience above anything else.
0
 
LVL 6

Author Comment

by:mslunecka
ID: 12629881
Well here it...it was a wierd one alright.

I tried several times deleting the GPO entirely and recreating it to no effect.  Well today when I was working on it I decided to do it from remote desktop while I was at one of the computers I'm trying to restrict access to.  The server I was connected to didn't have the Group Policy Management Console like my office workstation does, it just had the AD Users and Computers editor.  I didn't think much of it since it's a very simple policy, it wouldn't be any harder to write the old fashioned way.

I clicked Edit on the GPO and got a ton of errors one after the other about [string] is too long and will be truncated, yada yada yada.  Never seen it before.

So I deleted it again, and created a new object, still using the old fashioned editor.  This one worked on the first try.  So either it was something with my workstation or something with GPMC, but  the policy works pretty sweet now.

Points to blakogre because gpresult /v was very helpful.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question