Deny local logon rights to domain user

I have 20 computers that are in their own OU on a 2003 Active Directory.

There are a couple of public accounts that I consider to be a security threat due to weak passwords...also my users seem to prefer to use these accounts rather than to bother remembering their own security credentials.

I've tried using the group policy management console to create a policy in that OU that adds those user names to the "Deny Local Logon" entry under Local Security / User Rights assignment.

When I look at the Settings report in GPMC, it tells me there are no defined settings in my GPO, yet when I go to Edit it, the setting is clearly there.  The policy is active, but those user accounts are still able to log on.  I'm very confused.  I've never seen a GPO behave like this before.

I could probably just go to each of these computers and add the setting locally, but that's a pain and if this works I'm going to apply the policy across the entire building and I don't have time to change a setting on a couple hundred computers.
Who is Participating?
I assume you created a GPO on the computer OU you moved all the computer accounts into?  You don't really say where the GPO is.

When you log in, what does gpresult /v show you, on one of the PCs, as that user?

If you try to modify a different setting: does it take effect?

Is there a higher level GPO applied with a no override setting?
msluneckaAuthor Commented:
Sorry, the GPO is linked at the same container the PCs are in.

When I look at the gpresult it tells me that the policy is not being enforced because of filtering.   I'm not sure why that would be, because Authenticated Users is set to apply the policy.  That works for every other computer config GPO I've ever written.

As for higher level GPOs, the default domain policy is the only one applied above it and it doesn't list any Deny Logon Locally settings that would override.

I've added an extra setting, but it still seems as though it isn't taking that option.  I'll go do some gpupdates in a bit and try again.
Ok: go to the group policy tab where you created the OU.  Highlight the GPO and click properties.  Ensure that "disable computer configuration settings" is NOT checked.

On the security tab, you want the PC accounts to have permission to read and apply the policy.  you can create a group and add the computer accounts into it.  by default computer accounts won't show: when you're in the tab to add them in, click the Object Types button and click "Computers".

I'd hope that one of these two would help resolve the issue.  Let me know.
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

I would just go ahead and open up the users' accounts in AD and go to the account tab and click the log on to... button.  In there, you can deny the user from logging on anywhere without messing around with group policy.

msluneckaAuthor Commented:
anom, I wish that was an option.  Unfortunately that user account is in another administrators hands.  It gets extremely political around here when trying to interfere with another area's IT.  It is my personal opinion that this person is endangering a shared resource that many people use (our AD) by putting his users' convenience above anything else.
msluneckaAuthor Commented:
Well here was a wierd one alright.

I tried several times deleting the GPO entirely and recreating it to no effect.  Well today when I was working on it I decided to do it from remote desktop while I was at one of the computers I'm trying to restrict access to.  The server I was connected to didn't have the Group Policy Management Console like my office workstation does, it just had the AD Users and Computers editor.  I didn't think much of it since it's a very simple policy, it wouldn't be any harder to write the old fashioned way.

I clicked Edit on the GPO and got a ton of errors one after the other about [string] is too long and will be truncated, yada yada yada.  Never seen it before.

So I deleted it again, and created a new object, still using the old fashioned editor.  This one worked on the first try.  So either it was something with my workstation or something with GPMC, but  the policy works pretty sweet now.

Points to blakogre because gpresult /v was very helpful.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.