Deny users local login -

Recently we've switched to Single Sign On by Imprivata - my pc are set to auto login but that doesn't prevent the users from hitting crtl-alt-del and logging in themselve and nulling SSO.  I origionally denied users from logging in to the machine but when I do this Imprivata doesn't allow the user to login.  Is there anyway around this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ben HartCommented:
So your looking for a way to allow interactive logins or fully deny them?
WellingtonISAuthor Commented:
I'm looking for a way to deny user logon to the machine but allow interactive login.  My departments have generic account which they are supposed to use however, they are not and loging in with there own user names and passwords.  I'm trying to prevent users from logging on to the physical machine with there own accounts but allowing them to user the interactive logon.
Ben HartCommented:
Have you tried the Local Security settings or a GPO?  The settings are in Group Policy, Computer Settings, Windows Settings, Security Settings, Local Policies, User Rights, Deny Log On Locally. Be very careful you don't lock everyone out of everything (ie, apply this to an OU (or restrict it to a group) of just one computer, then test.

For example you could Deny the Domain Users group.. or something like that it depend son how your OU's are setup.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

WellingtonISAuthor Commented:
Origionally I had that setup.  I had a group and denied local login but I found out that SSO doesn't work if you do that.
JohnBusiness Consultant (Owner)Commented:
Set up a local admin account that users cannot use, but allows you to log in. Do not enable "administrator".

Then remove all other local accounts.

Now users can only log in as domain users.

This should work just fine.
WellingtonISAuthor Commented:
That's great but it still doesn't prevent my users from login in to the machine on the domain as themselves.
JohnBusiness Consultant (Owner)Commented:
Of course not. The title of the thread asks "Deny LOCAL login".

So then what is the actual question?
WellingtonISAuthor Commented:
Sorry looking for a way to deny user logon to the machine but allow interactive login with Imprava SSO
JohnBusiness Consultant (Owner)Commented:
If the user has a domain account, nothing really prevents that user from logging in. That is the way it works and that is why attempt to control it breaks SSO.  

I think you have to live with what you have.
Ben HartCommented:
What security group(s) is the auto logon account a member of?  When you attempted the GPO setting the Deny Local Logon rights you weren't inadvertently locking out that account were you?
WellingtonISAuthor Commented:
The account of auto login are a member of regular domain users - I'm using them like service accounts - the pw doesn't expire.  When I attempt to deny the user local login the SSO doesn't work..   I have generic accounts that need to be the ones on the machines and the users user SSO.
David Johnson, CD, MVPOwnerCommented:
The account of auto login are a member of regular domain users
Move either the SSO account or the users to another OU and then deny local logon to the OU that the users belong to.
WellingtonISAuthor Commented:
Thanks everyone for your comments but unfortunatly none of this is the solution to this problem.  Bottom line is you can not deny the user login locally and have them sign in to an SSO with there own account.
JohnBusiness Consultant (Owner)Commented:
I think you just have to live with your current situation. Ask people not to bypass the log in.
WellingtonISAuthor Commented:
Well for now you're correct.
WellingtonISAuthor Commented:
I have no fix for this so I just added a script for an auto login that loops.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WellingtonISAuthor Commented:
I created a script for an auto login because there's no way to block a user locally and still have them use a Single Sign On to login too.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.