Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1457
  • Last Modified:

deny logon locally

Hi,
I have an organizational unit where i keep all the our company laptops.
I want to block entire domain users to logon locally on this laptops using group policy but i want to allow domains admins and users which are using this laptops to logon locally.
I tried to use "Deny logon locally" from Computer configuration -> Windows settings -> Local Policies -> User Right Assignment and restricted groups to add domain admins as local administrator. When i logon locally using an domain admin account  and add an normal user to Adminstrator local group and i tried to logon locally with this user i was unable to connect.
I need some help to deny logon locally for all users except users i wants to be able to logon locally.
Thank you,
0
BetfairRomania
Asked:
BetfairRomania
  • 5
  • 4
1 Solution
 
zelron22Commented:
Let me see if I understand you.

You have some users you want to be able to log onto your laptops and have administrator rights on the laptops.

You have other users that you want to prevent from logging onto the laptops at all.

How many users total are we talking about?
0
 
BetfairRomaniaAuthor Commented:
Hi,
because i have almost 100 users i tried to deny access to all Domain Users and to add as local admin only those users which are using the laptopsbut is not working in this way.
Thank you.
0
 
zelron22Commented:
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
BetfairRomaniaAuthor Commented:
Hi,sers
Thank you for your answer, but this is not the solution I looking for.
I do not want to use any script, i just want to use only GPO
My problem is if deny logon locally for all Domain Users and add some users as local Administrator (restricted users) on my laptops, i am not able to login with this users on my loptop because they all are Domain Users and deny to all Domain Users to logon locally.
Why? Because i have only 5 people who needs to use this laptops from 100 people and i try to allow only those 5 people to logon and use the laptops and deny for rest of the people.
Thank you.
0
 
BetfairRomaniaAuthor Commented:
hi,
any suggestion regarding this issue?
Thank you.
0
 
BetfairRomaniaAuthor Commented:
hi,
any suggestion regarding this issue?
Thank you.
0
 
BetfairRomaniaAuthor Commented:
hi,
any suggestion regarding this issue?
Thank you.

    * Accept and Award Points
    * Accept as Solution

0
 
AmericomCommented:
By default, all domin users are able to logon locally to member workstation/laptops except for a domain controller. Since this is by design, it would be high maintenance for what you wanted to do.
Again, this is high maintenance if user change computer frequently due to upgrade and part failure etc.
Since all user by default is a member of the domain users, deny this group would deny all users including admins.
What you can try is leave the "deny logon locally" as default and adjust the "logon locally" to remove the "Users" group and add the groups(the users you want to logon locally). If you see, "guest" group, remove it as well. So what you have left would be Administrators, Power Users, Backup Operators, and Power Users. The "Users" is the one including all "domain users" which allow all users to logon locally be default, removing it would allow you to control who should logon locally.
0
 
zelron22Commented:
Create a group called laptop users.  Add the users who you wish to be able to log onto laptops into this group.

Create a group policy called Deny Laptop Logon.  In the policy under Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment modify Deny Logon Locally and add the doman users group.  Link the policy to the OU with the laptop computer accounts.

In the Group Policy, in the left pane, right click on the policy name and choose properties.  Click on the Security tab.  Add the Laptop Users group.  Select the group in the list, and next to Apply Group Policy check DENY.  Do the same thing for Domain Admins, and any other group you want to allow log on.

Hit okay and close the policy (you can disable the user config if you so desire).  

Make sure under security filtering that "Authenticated Users" is listed.

Depending on your organization's topology, you may need to wait a few minutes for this to replicate around.  Reboot a laptop and/or run gpupdate /force on it.  At that point, only members of the Laptop Users group, the Domain Admins group, and any other groups you checked DENY apply group policy should be able to log onto the laptops.  Other users should not be able to.

Then you just need to make changes to the Laptop Users group when you want to allow/deny people the ability to use the laptops.
0
 
zelron22Commented:
Oh yeah, one final comment: when you say "Log on locally" I'm assuming that you are talking about them logging onto the machine but using domain based credentials.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now