I have a group of machines in a particular OU.
1) Users are Admins (Certain software that is run requires this). Written in stone, not up for debate.
2) User has domain login but is choosing to login locally. (Tin foil hat paranoid kind of user)
3) Machines are Laptops
I need to be able to prevent them from logging in Locally... so they are forced to sign into domain. This needs to be done via GPO, so that any machines in OU are affected.
I tried using (in GPO) CompConfig>WinSetting>SecSetting>LocalPolicy>UserRight>Deny log on locally
The problem is, that also prevents them from signing on with their domain account if they are offline.
So i need to prevent users from logging in to Local without binding up the cache credentials for the domain on laptops.
Laptops are running Windows 10, AD is run on 2012R2