Deny local logon rights to domain user

Posted on 2004-11-01
Last Modified: 2011-10-03
I have 20 computers that are in their own OU on a 2003 Active Directory.

There are a couple of public accounts that I consider to be a security threat due to weak passwords...also my users seem to prefer to use these accounts rather than to bother remembering their own security credentials.

I've tried using the group policy management console to create a policy in that OU that adds those user names to the "Deny Local Logon" entry under Local Security / User Rights assignment.

When I look at the Settings report in GPMC, it tells me there are no defined settings in my GPO, yet when I go to Edit it, the setting is clearly there.  The policy is active, but those user accounts are still able to log on.  I'm very confused.  I've never seen a GPO behave like this before.

I could probably just go to each of these computers and add the setting locally, but that's a pain and if this works I'm going to apply the policy across the entire building and I don't have time to change a setting on a couple hundred computers.
Question by:mslunecka
    LVL 9

    Accepted Solution

    I assume you created a GPO on the computer OU you moved all the computer accounts into?  You don't really say where the GPO is.

    When you log in, what does gpresult /v show you, on one of the PCs, as that user?

    If you try to modify a different setting: does it take effect?

    Is there a higher level GPO applied with a no override setting?
    LVL 6

    Author Comment

    Sorry, the GPO is linked at the same container the PCs are in.

    When I look at the gpresult it tells me that the policy is not being enforced because of filtering.   I'm not sure why that would be, because Authenticated Users is set to apply the policy.  That works for every other computer config GPO I've ever written.

    As for higher level GPOs, the default domain policy is the only one applied above it and it doesn't list any Deny Logon Locally settings that would override.

    I've added an extra setting, but it still seems as though it isn't taking that option.  I'll go do some gpupdates in a bit and try again.
    LVL 9

    Expert Comment

    Ok: go to the group policy tab where you created the OU.  Highlight the GPO and click properties.  Ensure that "disable computer configuration settings" is NOT checked.

    On the security tab, you want the PC accounts to have permission to read and apply the policy.  you can create a group and add the computer accounts into it.  by default computer accounts won't show: when you're in the tab to add them in, click the Object Types button and click "Computers".

    I'd hope that one of these two would help resolve the issue.  Let me know.
    LVL 3

    Expert Comment

    I would just go ahead and open up the users' accounts in AD and go to the account tab and click the log on to... button.  In there, you can deny the user from logging on anywhere without messing around with group policy.

    LVL 6

    Author Comment

    anom, I wish that was an option.  Unfortunately that user account is in another administrators hands.  It gets extremely political around here when trying to interfere with another area's IT.  It is my personal opinion that this person is endangering a shared resource that many people use (our AD) by putting his users' convenience above anything else.
    LVL 6

    Author Comment

    Well here was a wierd one alright.

    I tried several times deleting the GPO entirely and recreating it to no effect.  Well today when I was working on it I decided to do it from remote desktop while I was at one of the computers I'm trying to restrict access to.  The server I was connected to didn't have the Group Policy Management Console like my office workstation does, it just had the AD Users and Computers editor.  I didn't think much of it since it's a very simple policy, it wouldn't be any harder to write the old fashioned way.

    I clicked Edit on the GPO and got a ton of errors one after the other about [string] is too long and will be truncated, yada yada yada.  Never seen it before.

    So I deleted it again, and created a new object, still using the old fashioned editor.  This one worked on the first try.  So either it was something with my workstation or something with GPMC, but  the policy works pretty sweet now.

    Points to blakogre because gpresult /v was very helpful.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
    Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
    This video Micro Tutorial is the second in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 ( But the ability to create custom scanning profiles a…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now