• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 200
  • Last Modified:

Active Directory Login

Hi,

Is their any way, by GPO, to deny AD computer login based on AD group membership? E.g. If a user is a member of group 'Test 1', he/she will not be able to login to a PC with the relevant GPO applied...

Michael
0
Barnardos_2LS
Asked:
Barnardos_2LS
  • 2
1 Solution
 
mikeleebrlaCommented:
sure, just deny the logon locally right to members of that group.  Done.

this can be done on the local computer policy of that PC, not neccessarily a GPO.

i'm sure it can be done with a GPO, but the easiest way is the method i mentioned above.

0
 
Barnardos_2LSAuthor Commented:
How do i deny through the local computer policy?
0
 
mikeleebrlaCommented:
start>run>MMC to open up the MMC (microsoft management console)
file>add/remove snapin> choose add, then choose Group Policy
then choose the computer you want to manage (if you aren't physically on it alread)
then browse down to computer configuration>windows settings>security settings>local policies>user rights assignment> and then choose deny logon locally....
then put the group in the deny logon locally section and you are done.

MAKE SURE YOU DONT CHOOSE A GROUP THAT INCLUDES EVERYONE OR ELSE NOBODY WILL BE ABLE TO LOG INTO THAT MACHINE

close the MMC (you dont need to save it) the save option saves the MMC settings for later use, not the changes you just made.





0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now