I have multiple users that I want to deny logon capability completely, but I do not want to disable the account. I have tried to use a GPO with no success. I followed the following scenario.
Create a Security Group "Deny Logon".
Make user a member of the "Deny Logon" group.
Create a GPO called DenyLogon with the following properties set:
Local Policies/User Rights Assignment
Deny log on as a batch job setting = domain\Deny Logon
Deny log on as service setting = domain\Deny Logon
Deny log on locally setting = domain\Deny Logon
Deny log on through Terminal Services settings = domain\Deny Logon
Configure user Group Policy loopback processing mode Enabled - Replace
I linked the GPO to the domain.
Problem is user is still able to logon to computers. What am I doing wrong?