jackport
asked on
Trying to use "Deny logon locally" in a GPO
I just created a GPO to set "Deny Log on Locally" and "Deny log on through Remote Desktop" to one AD group, and "Deny logon as a batch job" and "Deny log on as a service" to another group. I intend to put special-purpose accounts in one or both of these groups.
But when I view the "Settings" tab for this new GPO in the GPEDIT.MSC, it shows "No settings defined". And when I link the GPO to my domain, the GPRESULT shows that the GPO is not applied because it is empty !!!
I even tried adding another, completely unrelated computer policy setting so the GPO would not be empty. The "Deny logon..." settings still have no effect.
This is a very simple domain. Just one site with two DCs, both running Windows 2008 R2+SP1, Domain functional level and Forest functional level both Windows 2008 R2.
Any ideas??
But when I view the "Settings" tab for this new GPO in the GPEDIT.MSC, it shows "No settings defined". And when I link the GPO to my domain, the GPRESULT shows that the GPO is not applied because it is empty !!!
I even tried adding another, completely unrelated computer policy setting so the GPO would not be empty. The "Deny logon..." settings still have no effect.
This is a very simple domain. Just one site with two DCs, both running Windows 2008 R2+SP1, Domain functional level and Forest functional level both Windows 2008 R2.
Any ideas??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
McKnife
Your picture1 shows that you are not editing the GPO that picture2 shows but a local GPO. :)
ASKER
No, McKnife, the picture does NOT show that at all. The portion of the MMC showing the domain context has been cropped out.
ASKER
Thank you....I don't know what caused the problem, but I just created another GPO as sarang_tinguria suggested and the problem did not recur. I really should have thought of that myself!