Deny logon from domain users that are not in certain groups

Posted on 2006-05-01
Last Modified: 2013-12-04
We have a couple of systems that need to be locked so that only members of a certain group (say, Domain Admins) and local admins can logon to these boxes. The problem is that in the Default Domain Policy, Domain Users are included in the group that can log on to any of the workstations in any of the containers.

What I was going to do is, create a separate OU for these 2 systems, and create a GP that only allows the Domain/Local admins to logon, and deny EVERYONE else. My question is, if I create this policy, will it override the the DDP or will the DDP override this OU GP? If I block inheritance on the OU, will this help block Domain Users from logging onto the system?
Question by:parinpatel
    LVL 82

    Accepted Solution

    Group Policies are applied in the LSDOU order: Local policies first, then Site policies, then Domain policies, finally policies linked to OUs; the last setting wins.
    So if you create a new OU and put theses machines in there, all you have to do is adjust the policy for this OU; it will override the default domain policy.
    Do yourself a favor, and don't work with denys. Denys have priority; if you deny Everyone, you'll deny admins as well. Just remove the Users group from the "Allow local logon" security setting, add any other group that needs additional access.

    Expert Comment

    You've got it right except for the Deny part. Just remove the Everyone and Domain Users groups from the Allowed to logon locally setting found in the Group policy object under the following key

    Computer Configuration
      - Windows Settings
          -Local Policies
               -User Rights Assignment
                  -Log on Locally        

    Either create a new security group with the members you want to be able to log on to these machines or
    use the domain admins or another existing group that has the right members.

    DO not use DENY entries as they will take precidence over all other entries; Including administrator or domain admin

    LVL 1

    Author Comment

    oBdA, your suggestion worked perfectly. We put it into place last Friday. Created a new OU and linked a new GP to it. Thanks!

    Featured Post

    Scale it in WD Gold

    With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

    Join & Write a Comment

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now