Deny local logon rights to domain user
Posted on 2004-11-01
I have 20 computers that are in their own OU on a 2003 Active Directory.
There are a couple of public accounts that I consider to be a security threat due to weak passwords...also my users seem to prefer to use these accounts rather than to bother remembering their own security credentials.
I've tried using the group policy management console to create a policy in that OU that adds those user names to the "Deny Local Logon" entry under Local Security / User Rights assignment.
When I look at the Settings report in GPMC, it tells me there are no defined settings in my GPO, yet when I go to Edit it, the setting is clearly there. The policy is active, but those user accounts are still able to log on. I'm very confused. I've never seen a GPO behave like this before.
I could probably just go to each of these computers and add the setting locally, but that's a pain and if this works I'm going to apply the policy across the entire building and I don't have time to change a setting on a couple hundred computers.