Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Deny Logon Locally to users in OU, not group

Posted on 2006-11-24
15
Medium Priority
?
2,148 Views
Last Modified: 2008-01-09
I have an OU created and want to be able to move users into that OU at which point certain restrictions will reply to them such as they will not be able to log on locally. I have created a GPO and linked it to this OU but it will not allow me to deny logon locally to everyone (which presumably would only be everyone in that OU). How can I acheive this without having to create a group and put the users in it, which defeats the point of the OU?
0
Comment
Question by:jbreg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
  • +1
15 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 18007666
I was thinking here you could use restricted groups.  Use the OU to populate a local group using the restricted groups feature in AD. Then add that group to the deny logon locally user right.  Basically as follows:

Windows settings \ security settings \ restricted groups
Add a new group called "Deny Logon"
etc.

But then reality kicked in and I realised that was fruitless.  I can't think of any way of doing it without a group.  Once you've got that assigning the user right is easy of course as you know.

A Deny logon locally to everyone would add it for ANYONE - for starters the settings apply to the Computers, not users.

Problem is of course OU's aren't security princicpals, something that was SO useful in Novell NDS...

Steve
0
 

Author Comment

by:jbreg
ID: 18007850
Can you have a group in AD that is populated only with objects in an OU?
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 18007915
Not automatically that I know of.  You could write a periodic script which you schedule or trigger manually using dsquery to pickup the group members or an OU and populate a group with them.. something like (syntax not checked)

dsquery -user -startnode ou=whatever,dc=domain,dc=internal | dsmod group -addmbr

Steve
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 1000 total points
ID: 18009374
The way to do this is to create a SECURITY GROUP and create a GPO which denies local logon for that group.   The setting is under Comuter Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

Link the GPO to your entire domain.

Then, you can add any users you like as MEMBERS of that Security Group.

Jeff
TechSoEasy
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 18009443
Yes but the problem here is he wanted it to happen just based on OU membership, ... which can't happen IMHO.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18009444
Sure it can, you can make an entire OU a member of that Security Group.

Jeff
TechSoEasy
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 18009462
Manually with the right click option in ADUC... but automatically?  Please let me know if so, will come in handy!

Steve
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18009476
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18009484
This may be an easier method though:  http://www.enterpriseitplanet.com/security/features/article.php/1497881

Jeff
TechSoEasy
0
 

Author Comment

by:jbreg
ID: 18011290
How do I make an entire OU part of a security group? I have tried via ADUC but can't seem to do do this and it does not appear to be answered in the links.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 18011452
The Deny Logon Locally is a COMPUTER setting.  In order for a GPO linked to an OU to affect anything at all the COMPUTER must be in the OU.

If you set it at the Domain level then you can use TSE's method adding users to this new Security Group - keep in mind, the GPO will put that restriction on ALL workstations since it's linked at the domain.

Dropping people into an OU and expecting them to be added to a Security Group is only something that can occur if you link another GPO to the OU running a logon script that adds the user to this Security Group.  Also keep in mind that the first time they login they'll be added but the group membership isn't in the user's token until they log off and back on again.

What exactly are you attempting to do?

I think the only thing is to manually add the users to the Security Group - but it all depends on what you are trying to accomplish in the end.

0
 

Author Comment

by:jbreg
ID: 18011471
Thanks Netman. I am trying to create an OU for terminated employees, so that when I am notified I put the user into this OU and it applies drastic restrictions. I don't want to disable the account because often the manager needs to review their inbox before the account is deleted. I would like to do something similar for accounts created for new users who have not yet started.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 1000 total points
ID: 18011501
You can create the OU, sure - it'll organize things better.  You'll still have to add them to a group to enforce restrictions like you want to.

If the account must stay enabled, then move it and change the password then give that password to the manager.  The employee then has no knowledge of the new password and thus no access.

You can remove the account from all groups except Domain Users.

On occasion , how we handle this is to move the user account, change password and log in with the account, move mail to PST and burn it to CD/DVD, disable the account and give the CD/DVD to the manager.  This isn't always norm - most of the time we disable the account, move it and delete after a set retention period.  

You HAVE to consider any laws in your country/state/province about Privacy - the ex-employee still has rights and doing what you're asking about may not always be legal.  Check it out so you won't be in for any surprises with a lawsuit.

0
 

Author Comment

by:jbreg
ID: 18011561
Sounds good, I will use the group option.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 18013869
Sorry I wasn't around to continue follow up on this one... was quite aware of how to do it with a group but you were asking for a way without one.... to which the answer was no. Never mind, you've got your answers now!

Steve
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question