Link to home
Start Free TrialLog in
Avatar of spellman_p
spellman_p

asked on

Alloe log on locally

I have a domain that I want users to be able to logon while the computer is connected to the domain but if they loose connectivity they will not be able to logon the the domain or computer. I have tried removing "Authenticated users" from the "Allow log on locally" from the local and group policy, but then NO ON including Administrators are allowed to log on the the Computer. I have been told by my IAM that I have to remove everyone form the "Allo logon locally" policy.

Any assisatance would be appreciated.

Thanks,
ASKER CERTIFIED SOLUTION
Avatar of Alan_White
Alan_White
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of spellman_p
spellman_p

ASKER

Thanks for the comment but I think that is did not clear myself properly. I need to be able to remove everyone from the "Allow Log On Locall" policy and still be able to log on to the Domain. I have tried to remove the evveryone to include the Domain Users and still have the users to log on to the Domain.
Avatar of Alan_White
Alan_White
Flag of United Kingdom of Great Britain and Northern Ireland image
The "log on locally" permission is a red hering here.  http://technet.microsoft.com/en-us/library/cc756809%28WS.10%29.aspx

Just so that I understand fully, here is what I think you are trying to achieve...
Domain user accounts should be able to log on (but only when the PC is connected to the Domain)
Local user accounts are not used

If I am correct then disabling cached logons will achieve your goal.
Avatar of Alan_White
Alan_White
Flag of United Kingdom of Great Britain and Northern Ireland image
..or do you mean that MOST Domain accounts should not be allowed to logon EVER but SOME Domain accounts should?
Avatar of johnb6767
johnb6767
Flag of United States of America image
I think your IAM is wrong... Alan_White's comments should be what you need from your description....
Avatar of spellman_p
spellman_p

ASKER

I cannot have any accounts in the "Log On Locally" policy.
Avatar of Alan_White
Alan_White
Flag of United Kingdom of Great Britain and Northern Ireland image
Who has told you that you that?  Ask them what they mean.

I will repeat, a Domain user account cannot logon locally to a PC without being connected to the Domain if cached logons are disabled.

We clearly have a misunderstanding here.  Can you elaborate on what the goal is here?  Perhaps explain with examples (eg User Domain\User1 need to logon to LaptopA)?
Avatar of johnb6767
johnb6767
Flag of United States of America image
"I cannot have any accounts in the "Log On Locally" policy. "

Then noone can "Log On Locally".....