parinpatel
asked on
Deny logon from domain users that are not in certain groups
We have a couple of systems that need to be locked so that only members of a certain group (say, Domain Admins) and local admins can logon to these boxes. The problem is that in the Default Domain Policy, Domain Users are included in the group that can log on to any of the workstations in any of the containers.
What I was going to do is, create a separate OU for these 2 systems, and create a GP that only allows the Domain/Local admins to logon, and deny EVERYONE else. My question is, if I create this policy, will it override the the DDP or will the DDP override this OU GP? If I block inheritance on the OU, will this help block Domain Users from logging onto the system?
What I was going to do is, create a separate OU for these 2 systems, and create a GP that only allows the Domain/Local admins to logon, and deny EVERYONE else. My question is, if I create this policy, will it override the the DDP or will the DDP override this OU GP? If I block inheritance on the OU, will this help block Domain Users from logging onto the system?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
oBdA, your suggestion worked perfectly. We put it into place last Friday. Created a new OU and linked a new GP to it. Thanks!
Computer Configuration
- Windows Settings
-Local Policies
-User Rights Assignment
-Log on Locally
Either create a new security group with the members you want to be able to log on to these machines or
use the domain admins or another existing group that has the right members.
DO not use DENY entries as they will take precidence over all other entries; Including administrator or domain admin