Avatar of spellman_p
spellman_p
 asked on

Alloe log on locally

I have a domain that I want users to be able to logon while the computer is connected to the domain but if they loose connectivity they will not be able to logon the the domain or computer. I have tried removing "Authenticated users" from the "Allow log on locally" from the local and group policy, but then NO ON including Administrators are allowed to log on the the Computer. I have been told by my IAM that I have to remove everyone form the "Allo logon locally" policy.

Any assisatance would be appreciated.

Thanks,
Microsoft Legacy OSWindows Networking

Avatar of undefined
Last Comment
johnb6767

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Alan_White

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
spellman_p

ASKER
Thanks for the comment but I think that is did not clear myself properly. I need to be able to remove everyone from the "Allow Log On Locall" policy and still be able to log on to the Domain. I have tried to remove the evveryone to include the Domain Users and still have the users to log on to the Domain.
Alan_White

The "log on locally" permission is a red hering here.  http://technet.microsoft.com/en-us/library/cc756809%28WS.10%29.aspx

Just so that I understand fully, here is what I think you are trying to achieve...
Domain user accounts should be able to log on (but only when the PC is connected to the Domain)
Local user accounts are not used

If I am correct then disabling cached logons will achieve your goal.
Alan_White

..or do you mean that MOST Domain accounts should not be allowed to logon EVER but SOME Domain accounts should?
Your help has saved me hundreds of hours of internet surfing.
fblack61
johnb6767

I think your IAM is wrong... Alan_White's comments should be what you need from your description....
spellman_p

ASKER
I cannot have any accounts in the "Log On Locally" policy.
Alan_White

Who has told you that you that?  Ask them what they mean.

I will repeat, a Domain user account cannot logon locally to a PC without being connected to the Domain if cached logons are disabled.

We clearly have a misunderstanding here.  Can you elaborate on what the goal is here?  Perhaps explain with examples (eg User Domain\User1 need to logon to LaptopA)?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
johnb6767

"I cannot have any accounts in the "Log On Locally" policy. "

Then noone can "Log On Locally".....