?
Solved

Creating a user with no login rights

Posted on 2011-03-21
10
Medium Priority
?
1,015 Views
Last Modified: 2012-05-11
Trying to create a GPO to stop certain users in a group having access to login to the domain.

Domain is mixed 2008/ 2003 @ a 2003 domain level

This is what I have done so far, but its not working.

1) Created a new OU to which I have added the GPO.

2) Added a new group that I have put the external users into, adding that group to the GPO Security Filtering in the GPO Management Console

3) Then in the editor; added the same group to Deny Log On Locally and Deny Log On Through Remote Access: Computer Configuration>Policy’s>Security Settings>Local Policy’s>User Rights Assignment
 

Thanks
0
Comment
Question by:liminal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35186850
Where have you applied part 3? This needs to be in a policy that is applied to the RDP server not the user.
0
 
LVL 13

Expert Comment

by:rhinoceros
ID: 35186922
You may try to enable the following GPO in "Computers" OU

-"Deny Access to this computer from the network"
http://technet.microsoft.com/en-us/library/ff646935(WS.10).aspx

- GPO - Deny Logon Locally to everyone in OU  "Deny log on locally"
http://www.petri.co.il/forums/showthread.php?t=10183
0
 

Author Comment

by:liminal
ID: 35186954
@demazter; Yeah I am trying to mash a few dif things I have read together. so what your saying is that I would need to move all domain machines into that OU to stop these users logging on to the domain? It will only apply to the Computers, not the users logging on to those machines (which is kinda how it was put to me)


Basically I have a SharePoint site that i want users to have access to (without having to setup FBA) So they have a limited domain account that gives them access to that site without giving them any access to log into a machine if they came into the office.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 74

Expert Comment

by:Glen Knight
ID: 35186996
That is correct, the computer section of a group policy is applied to computers and therefore must be applied to an OU that contains computers.
0
 
LVL 13

Expert Comment

by:rhinoceros
ID: 35187113
Go to root OU (e.g. domain.com OU) --> Edit "Default Domain Policy" to enable "Deny logon locally",  so it will apply all Child OU.

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35187123
>>>>Go to root OU (e.g. domain.com OU) --> Edit "Default Domain Policy" to enable "Deny logon locally",  so it will apply all Child OU.


DO NOT DO THIS!

This will prevent logon for that group for ALL computers in your network.  You should always create a new group policy, don't edit the Default Domain Policy.  And never apply to the root domain, only apply to an OU!
0
 
LVL 13

Expert Comment

by:rhinoceros
ID: 35187142
But the question is that... ???
"Trying to create a GPO to stop certain users in a group having access to login to the domain."
                                           --------------------------------------------------------------------------------

Not for ALL computers in network (domain) as he needs ?

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35187151
Yes, but still, making these changes at root level is dangerous and should be avoided.
0
 

Author Comment

by:liminal
ID: 35188223
Ok clearly the computer part of a GPO covers machines on the network and users covers users... but I read in few places that this was the way the only way to do it.

So there must be another way... does anyone know?

and I agree with demazter, changing anything @ the root can be trouble, but thanks anyway :)
0
 
LVL 3

Accepted Solution

by:
Anurag_Tiwari earned 2000 total points
ID: 35199420
Liminal you can follow below given steps
1) create another Security Group and add all the machines in that group on which you want to deny login to those users.
2) Add this Security group in same GPO security filtering in which you added user's security groups.
3) link this GPO to domain so that it would be applied to all user and computer which would be part of your security groups.

Note: This group policy wouldn't be applied to any of the OU on which inheritance would be blocked.You can override inheritance by choosing enforce enable in the same GPO if require.

Hope it will resolve your problem
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question