Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 62
  • Last Modified:

How Block Users on machine from logging in Local

I have a group of machines in a particular OU.

1) Users are Admins (Certain software that is run requires this). Written in stone, not up for debate.
2) User has domain login but is choosing to login locally. (Tin foil hat paranoid kind of user)
3) Machines are Laptops

I need to be able to prevent them from logging in Locally... so they are forced to sign into domain.  This needs to be done via GPO, so that any machines in OU are affected.

I tried using  (in GPO) CompConfig>WinSetting>SecSetting>LocalPolicy>UserRight>Deny log on locally

The problem is, that also prevents them from signing on with their domain account if they are offline.

So i need to prevent users from logging in to Local without binding up the cache credentials for the domain on laptops.

Laptops are running Windows 10,  AD is run on 2012R2
0
MushroomStamp
Asked:
MushroomStamp
  • 5
  • 3
  • 2
  • +3
4 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
Users are Admins (Certain software that is run requires this). Written in stone, not up for debate. User has domain login but is choosing to login locally

So i need to prevent users from logging in to Local

If I am the admin of a machine (domain or local), I can do whatever I want including making a new user account to log in however I want.

So I do not think you can realistically do what you want.
0
 
Neil RussellTechnical Development LeadCommented:
1)....  I have never found a piece of software that ACTUAlLY needs a user to be a local admin. There is a way 99.99% of the time to create a policy that will allow it to run if you know what to do.
Otherwise, as John said, an admin on a computer can do as then please.
0
 
zalazarCommented:
I agree with John here that it will be quite difficult because the user is also Administrator.

You could try to see if it's possible to set a GPO to only allow only allow domain users and system accounts to "Allow log on locally".
Allow log on locally: LOCAL SERVICE;NETWORK SERVICE;SYSTEM;DOMAIN1\Authenticated Users
This has the consequence that any local user is not able to logon anymore.
Also not in case the domain is not available and troubleshooting is needed.
It might also have an impact on some Windows functions so therefore please test it first on a test laptop.
Because of these consequences I would actually not recommend this setting.

About that the user can't sign-in when they are offline.
The users should logon at least once while they are on the network.
After that the account password will be cached and they should be able to logon also with their domain account while they are offline.
Setting: Interactive logon: Number of previous logons to cache in case domain controller is not available, the default value is 10.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
John HurstBusiness Consultant (Owner)Commented:
If you prevent a local user from logging on, it may become necessary to reinstall Windows as you may need a local user for something.
0
 
zalazarCommented:
It should actually be:
Allow log on locally: LOCAL SERVICE;NETWORK SERVICE;SYSTEM;DOMAIN1\Domain Users
but I just noticed that it's not possible unfortunately as Windows will show the message: "Administrators must be granted the logon local right".

One other option could be something with a logon script (at a network location) which checks if the user is local or domain.
In case of a local user a forced logoff could be executed.
Only this will not work when the user works offline or if the user connects the network cable after he has logged on with a local account.
0
 
Tim EdwardsIT Team Lead - Unified Communications & CollaborationCommented:
Are there AD User accounts apart of the local admins group as well?
0
 
Neil RussellTechnical Development LeadCommented:
Far too often companies say...

Oh it won't run unless you are a local admin..

And IT staff take their word. Do some work, process explorer for a few hours and can get users running almost anything without being a local administrator, just a bit of hard work to figure what access is needed where.
0
 
saumik belelCommented:
Kindly take a look at your gpo if this is configured correctly.

Place computer in OU, set GPO:  Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on locally

Set the allowed users that these computer will only allow login.  I added the one user as well as administrators and domain admins.
0
 
Neil RussellTechnical Development LeadCommented:
Yes saumik ADMINISTRATORS and as the op has he users set as local admins they log in.
0
 
zalazarCommented:
What you maybe could do is setup a GPO with Restricted Groups or Group Policy Preferences.
In this way you can force that the "Administrators" group only contains the defined users/groups.
The user will still be able to modify the "Administrators" group but every time the policy applies to the computer (by default every 90 minutes), the "Administrators" group is set back to what you defined in the policy.
This will make it much more difficult for the user to keep using the local user account as every time the group policy applies the Administrator permissions for the local account will be revoked.
0
 
MushroomStampAuthor Commented:
Thanks everyone.  Although not what I wanted to hear, it's what I figured was the case.   I will find another way to skin this cat. I have Cisco Firepower and will go that route. Was just hoping for a GPO way to do this.

p.s. I posted it must be Admin, in order to cut down on lengthy conversation. Some though, want to make it a point anyway.  SO for those.  It is custom software written years ago that has many legacy limitations and 100% requires Admin. I've been IT for 25+, this isn't my first rodeo.
0
 
Neil RussellTechnical Development LeadCommented:
Questions should not be deleted just because the answer is You can not
0
 
MushroomStampAuthor Commented:
I never deleted it. Thank you very much. I merely did a close request.
0
 
Neil RussellTechnical Development LeadCommented:
No, the correct answer is that with work ANY software can be made to run without being a local admin, you just need to put a LOT of effort into making it.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now