liminal
asked on
Creating a user with no login rights
Trying to create a GPO to stop certain users in a group having access to login to the domain.
Domain is mixed 2008/ 2003 @ a 2003 domain level
This is what I have done so far, but its not working.
1) Created a new OU to which I have added the GPO.
2) Added a new group that I have put the external users into, adding that group to the GPO Security Filtering in the GPO Management Console
3) Then in the editor; added the same group to Deny Log On Locally and Deny Log On Through Remote Access: Computer Configuration>Policy’s>Sec urity Settings>Local Policy’s>User Rights Assignment
Thanks
Domain is mixed 2008/ 2003 @ a 2003 domain level
This is what I have done so far, but its not working.
1) Created a new OU to which I have added the GPO.
2) Added a new group that I have put the external users into, adding that group to the GPO Security Filtering in the GPO Management Console
3) Then in the editor; added the same group to Deny Log On Locally and Deny Log On Through Remote Access: Computer Configuration>Policy’s>Sec
Thanks
Where have you applied part 3? This needs to be in a policy that is applied to the RDP server not the user.
You may try to enable the following GPO in "Computers" OU
-"Deny Access to this computer from the network"
http://technet.microsoft.com/en-us/library/ff646935(WS.10).aspx
- GPO - Deny Logon Locally to everyone in OU "Deny log on locally"
http://www.petri.co.il/forums/showthread.php?t=10183
-"Deny Access to this computer from the network"
http://technet.microsoft.com/en-us/library/ff646935(WS.10).aspx
- GPO - Deny Logon Locally to everyone in OU "Deny log on locally"
http://www.petri.co.il/forums/showthread.php?t=10183
ASKER
@demazter; Yeah I am trying to mash a few dif things I have read together. so what your saying is that I would need to move all domain machines into that OU to stop these users logging on to the domain? It will only apply to the Computers, not the users logging on to those machines (which is kinda how it was put to me)
Basically I have a SharePoint site that i want users to have access to (without having to setup FBA) So they have a limited domain account that gives them access to that site without giving them any access to log into a machine if they came into the office.
Basically I have a SharePoint site that i want users to have access to (without having to setup FBA) So they have a limited domain account that gives them access to that site without giving them any access to log into a machine if they came into the office.
That is correct, the computer section of a group policy is applied to computers and therefore must be applied to an OU that contains computers.
Go to root OU (e.g. domain.com OU) --> Edit "Default Domain Policy" to enable "Deny logon locally", so it will apply all Child OU.
>>>>Go to root OU (e.g. domain.com OU) --> Edit "Default Domain Policy" to enable "Deny logon locally", so it will apply all Child OU.
DO NOT DO THIS!
This will prevent logon for that group for ALL computers in your network. You should always create a new group policy, don't edit the Default Domain Policy. And never apply to the root domain, only apply to an OU!
DO NOT DO THIS!
This will prevent logon for that group for ALL computers in your network. You should always create a new group policy, don't edit the Default Domain Policy. And never apply to the root domain, only apply to an OU!
But the question is that... ???
"Trying to create a GPO to stop certain users in a group having access to login to the domain."
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
Not for ALL computers in network (domain) as he needs ?
"Trying to create a GPO to stop certain users in a group having access to login to the domain."
--------------------------
Not for ALL computers in network (domain) as he needs ?
Yes, but still, making these changes at root level is dangerous and should be avoided.
ASKER
Ok clearly the computer part of a GPO covers machines on the network and users covers users... but I read in few places that this was the way the only way to do it.
So there must be another way... does anyone know?
and I agree with demazter, changing anything @ the root can be trouble, but thanks anyway :)
So there must be another way... does anyone know?
and I agree with demazter, changing anything @ the root can be trouble, but thanks anyway :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.