How Block Users on machine from logging in Local

Posted on 2016-08-19
Last Modified: 2016-09-26
I have a group of machines in a particular OU.

1) Users are Admins (Certain software that is run requires this). Written in stone, not up for debate.
2) User has domain login but is choosing to login locally. (Tin foil hat paranoid kind of user)
3) Machines are Laptops

I need to be able to prevent them from logging in Locally... so they are forced to sign into domain.  This needs to be done via GPO, so that any machines in OU are affected.

I tried using  (in GPO) CompConfig>WinSetting>SecSetting>LocalPolicy>UserRight>Deny log on locally

The problem is, that also prevents them from signing on with their domain account if they are offline.

So i need to prevent users from logging in to Local without binding up the cache credentials for the domain on laptops.

Laptops are running Windows 10,  AD is run on 2012R2
Question by:MushroomStamp
  • 5
  • 3
  • 2
  • +3
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 166 total points (awarded by participants)
ID: 41763030
Users are Admins (Certain software that is run requires this). Written in stone, not up for debate. User has domain login but is choosing to login locally

So i need to prevent users from logging in to Local

If I am the admin of a machine (domain or local), I can do whatever I want including making a new user account to log in however I want.

So I do not think you can realistically do what you want.
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 166 total points (awarded by participants)
ID: 41763051
1)....  I have never found a piece of software that ACTUAlLY needs a user to be a local admin. There is a way 99.99% of the time to create a policy that will allow it to run if you know what to do.
Otherwise, as John said, an admin on a computer can do as then please.
LVL 11

Accepted Solution

zalazar earned 167 total points (awarded by participants)
ID: 41763087
I agree with John here that it will be quite difficult because the user is also Administrator.

You could try to see if it's possible to set a GPO to only allow only allow domain users and system accounts to "Allow log on locally".
Allow log on locally: LOCAL SERVICE;NETWORK SERVICE;SYSTEM;DOMAIN1\Authenticated Users
This has the consequence that any local user is not able to logon anymore.
Also not in case the domain is not available and troubleshooting is needed.
It might also have an impact on some Windows functions so therefore please test it first on a test laptop.
Because of these consequences I would actually not recommend this setting.

About that the user can't sign-in when they are offline.
The users should logon at least once while they are on the network.
After that the account password will be cached and they should be able to logon also with their domain account while they are offline.
Setting: Interactive logon: Number of previous logons to cache in case domain controller is not available, the default value is 10.
LVL 92

Expert Comment

by:John Hurst
ID: 41763092
If you prevent a local user from logging on, it may become necessary to reinstall Windows as you may need a local user for something.
LVL 11

Expert Comment

ID: 41763132
It should actually be:
but I just noticed that it's not possible unfortunately as Windows will show the message: "Administrators must be granted the logon local right".

One other option could be something with a logon script (at a network location) which checks if the user is local or domain.
In case of a local user a forced logoff could be executed.
Only this will not work when the user works offline or if the user connects the network cable after he has logged on with a local account.

Expert Comment

by:Tim Edwards
ID: 41763144
Are there AD User accounts apart of the local admins group as well?
LVL 37

Expert Comment

by:Neil Russell
ID: 41763162
Far too often companies say...

Oh it won't run unless you are a local admin..

And IT staff take their word. Do some work, process explorer for a few hours and can get users running almost anything without being a local administrator, just a bit of hard work to figure what access is needed where.
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.


Expert Comment

by:saumik belel
ID: 41763617
Kindly take a look at your gpo if this is configured correctly.

Place computer in OU, set GPO:  Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on locally

Set the allowed users that these computer will only allow login.  I added the one user as well as administrators and domain admins.
LVL 37

Expert Comment

by:Neil Russell
ID: 41763621
Yes saumik ADMINISTRATORS and as the op has he users set as local admins they log in.
LVL 11

Expert Comment

ID: 41764631
What you maybe could do is setup a GPO with Restricted Groups or Group Policy Preferences.
In this way you can force that the "Administrators" group only contains the defined users/groups.
The user will still be able to modify the "Administrators" group but every time the policy applies to the computer (by default every 90 minutes), the "Administrators" group is set back to what you defined in the policy.
This will make it much more difficult for the user to keep using the local user account as every time the group policy applies the Administrator permissions for the local account will be revoked.

Assisted Solution

MushroomStamp earned 1 total points (awarded by participants)
ID: 41765371
Thanks everyone.  Although not what I wanted to hear, it's what I figured was the case.   I will find another way to skin this cat. I have Cisco Firepower and will go that route. Was just hoping for a GPO way to do this.

p.s. I posted it must be Admin, in order to cut down on lengthy conversation. Some though, want to make it a point anyway.  SO for those.  It is custom software written years ago that has many legacy limitations and 100% requires Admin. I've been IT for 25+, this isn't my first rodeo.
LVL 37

Expert Comment

by:Neil Russell
ID: 41765450
Questions should not be deleted just because the answer is You can not

Author Comment

ID: 41788522
I never deleted it. Thank you very much. I merely did a close request.
LVL 37

Expert Comment

by:Neil Russell
ID: 41788579
No, the correct answer is that with work ANY software can be made to run without being a local admin, you just need to put a LOT of effort into making it.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unknown security group 2 59
Change AD password via MS Access DB 2 17
active directory 5 47
Encrypt a drive for use only in work environment? 10 45
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now