Deny logon from domain users that are not in certain groups
Posted on 2006-05-01
We have a couple of systems that need to be locked so that only members of a certain group (say, Domain Admins) and local admins can logon to these boxes. The problem is that in the Default Domain Policy, Domain Users are included in the group that can log on to any of the workstations in any of the containers.
What I was going to do is, create a separate OU for these 2 systems, and create a GP that only allows the Domain/Local admins to logon, and deny EVERYONE else. My question is, if I create this policy, will it override the the DDP or will the DDP override this OU GP? If I block inheritance on the OU, will this help block Domain Users from logging onto the system?