Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Deny logon from domain users that are not in certain groups

Posted on 2006-05-01
Medium Priority
Last Modified: 2013-12-04
We have a couple of systems that need to be locked so that only members of a certain group (say, Domain Admins) and local admins can logon to these boxes. The problem is that in the Default Domain Policy, Domain Users are included in the group that can log on to any of the workstations in any of the containers.

What I was going to do is, create a separate OU for these 2 systems, and create a GP that only allows the Domain/Local admins to logon, and deny EVERYONE else. My question is, if I create this policy, will it override the the DDP or will the DDP override this OU GP? If I block inheritance on the OU, will this help block Domain Users from logging onto the system?
Question by:parinpatel
LVL 86

Accepted Solution

oBdA earned 2000 total points
ID: 16580238
Group Policies are applied in the LSDOU order: Local policies first, then Site policies, then Domain policies, finally policies linked to OUs; the last setting wins.
So if you create a new OU and put theses machines in there, all you have to do is adjust the policy for this OU; it will override the default domain policy.
Do yourself a favor, and don't work with denys. Denys have priority; if you deny Everyone, you'll deny admins as well. Just remove the Users group from the "Allow local logon" security setting, add any other group that needs additional access.

Expert Comment

ID: 16633730
You've got it right except for the Deny part. Just remove the Everyone and Domain Users groups from the Allowed to logon locally setting found in the Group policy object under the following key

Computer Configuration
  - Windows Settings
      -Local Policies
           -User Rights Assignment
              -Log on Locally        

Either create a new security group with the members you want to be able to log on to these machines or
use the domain admins or another existing group that has the right members.

DO not use DENY entries as they will take precidence over all other entries; Including administrator or domain admin


Author Comment

ID: 16633919
oBdA, your suggestion worked perfectly. We put it into place last Friday. Created a new OU and linked a new GP to it. Thanks!

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question