spellman_p
asked on
Alloe log on locally
I have a domain that I want users to be able to logon while the computer is connected to the domain but if they loose connectivity they will not be able to logon the the domain or computer. I have tried removing "Authenticated users" from the "Allow log on locally" from the local and group policy, but then NO ON including Administrators are allowed to log on the the Computer. I have been told by my IAM that I have to remove everyone form the "Allo logon locally" policy.
Any assisatance would be appreciated.
Thanks,
Any assisatance would be appreciated.
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The "log on locally" permission is a red hering here. http://technet.microsoft.com/en-us/library/cc756809%28WS.10%29.aspx
Just so that I understand fully, here is what I think you are trying to achieve...
Domain user accounts should be able to log on (but only when the PC is connected to the Domain)
Local user accounts are not used
If I am correct then disabling cached logons will achieve your goal.
Just so that I understand fully, here is what I think you are trying to achieve...
Domain user accounts should be able to log on (but only when the PC is connected to the Domain)
Local user accounts are not used
If I am correct then disabling cached logons will achieve your goal.
..or do you mean that MOST Domain accounts should not be allowed to logon EVER but SOME Domain accounts should?
I think your IAM is wrong... Alan_White's comments should be what you need from your description....
ASKER
I cannot have any accounts in the "Log On Locally" policy.
Who has told you that you that? Ask them what they mean.
I will repeat, a Domain user account cannot logon locally to a PC without being connected to the Domain if cached logons are disabled.
We clearly have a misunderstanding here. Can you elaborate on what the goal is here? Perhaps explain with examples (eg User Domain\User1 need to logon to LaptopA)?
I will repeat, a Domain user account cannot logon locally to a PC without being connected to the Domain if cached logons are disabled.
We clearly have a misunderstanding here. Can you elaborate on what the goal is here? Perhaps explain with examples (eg User Domain\User1 need to logon to LaptopA)?
"I cannot have any accounts in the "Log On Locally" policy. "
Then noone can "Log On Locally".....
Then noone can "Log On Locally".....
ASKER