• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 852
  • Last Modified:

GPO for Deny Logon Locally

I have multiple users that I want to deny logon capability completely, but I do not want to disable the account.  I have tried to use a GPO with no success.  I followed the following scenario.

Create a Security Group "Deny Logon".
Make user a member of the "Deny Logon" group.

Create a GPO called DenyLogon with the following properties set:
Computer Configuration
        Windows Settings
            Security Settings
                Local Policies/User Rights Assignment
                    Deny log on as a batch job   setting = domain\Deny Logon
                    Deny log on as service         setting = domain\Deny Logon
                    Deny log on locally              setting = domain\Deny Logon
                    Deny log on through Terminal Services  settings = domain\Deny Logon
        Administrative Templates
            System/Group Policy
                    Configure user Group Policy loopback processing mode    Enabled   - Replace

I linked the GPO to the domain.

Problem is user is still able to logon to computers.  What am I doing wrong?
1 Solution
Pradeep DubeyConsultantCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now