Solved

How Block Users on machine from logging in Local

Posted on 2016-08-19
16
36 Views
Last Modified: 2016-09-26
I have a group of machines in a particular OU.

1) Users are Admins (Certain software that is run requires this). Written in stone, not up for debate.
2) User has domain login but is choosing to login locally. (Tin foil hat paranoid kind of user)
3) Machines are Laptops

I need to be able to prevent them from logging in Locally... so they are forced to sign into domain.  This needs to be done via GPO, so that any machines in OU are affected.

I tried using  (in GPO) CompConfig>WinSetting>SecSetting>LocalPolicy>UserRight>Deny log on locally

The problem is, that also prevents them from signing on with their domain account if they are offline.

So i need to prevent users from logging in to Local without binding up the cache credentials for the domain on laptops.

Laptops are running Windows 10,  AD is run on 2012R2
0
Comment
Question by:MushroomStamp
  • 5
  • 3
  • 2
  • +3
16 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 166 total points (awarded by participants)
ID: 41763030
Users are Admins (Certain software that is run requires this). Written in stone, not up for debate. User has domain login but is choosing to login locally

So i need to prevent users from logging in to Local

If I am the admin of a machine (domain or local), I can do whatever I want including making a new user account to log in however I want.

So I do not think you can realistically do what you want.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 166 total points (awarded by participants)
ID: 41763051
1)....  I have never found a piece of software that ACTUAlLY needs a user to be a local admin. There is a way 99.99% of the time to create a policy that will allow it to run if you know what to do.
Otherwise, as John said, an admin on a computer can do as then please.
0
 
LVL 11

Accepted Solution

by:
zalazar earned 167 total points (awarded by participants)
ID: 41763087
I agree with John here that it will be quite difficult because the user is also Administrator.

You could try to see if it's possible to set a GPO to only allow only allow domain users and system accounts to "Allow log on locally".
Allow log on locally: LOCAL SERVICE;NETWORK SERVICE;SYSTEM;DOMAIN1\Authenticated Users
This has the consequence that any local user is not able to logon anymore.
Also not in case the domain is not available and troubleshooting is needed.
It might also have an impact on some Windows functions so therefore please test it first on a test laptop.
Because of these consequences I would actually not recommend this setting.

About that the user can't sign-in when they are offline.
The users should logon at least once while they are on the network.
After that the account password will be cached and they should be able to logon also with their domain account while they are offline.
Setting: Interactive logon: Number of previous logons to cache in case domain controller is not available, the default value is 10.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41763092
If you prevent a local user from logging on, it may become necessary to reinstall Windows as you may need a local user for something.
0
 
LVL 11

Expert Comment

by:zalazar
ID: 41763132
It should actually be:
Allow log on locally: LOCAL SERVICE;NETWORK SERVICE;SYSTEM;DOMAIN1\Domain Users
but I just noticed that it's not possible unfortunately as Windows will show the message: "Administrators must be granted the logon local right".

One other option could be something with a logon script (at a network location) which checks if the user is local or domain.
In case of a local user a forced logoff could be executed.
Only this will not work when the user works offline or if the user connects the network cable after he has logged on with a local account.
0
 
LVL 8

Expert Comment

by:Tim Edwards
ID: 41763144
Are there AD User accounts apart of the local admins group as well?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 41763162
Far too often companies say...

Oh it won't run unless you are a local admin..

And IT staff take their word. Do some work, process explorer for a few hours and can get users running almost anything without being a local administrator, just a bit of hard work to figure what access is needed where.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Expert Comment

by:saumik belel
ID: 41763617
Kindly take a look at your gpo if this is configured correctly.

Place computer in OU, set GPO:  Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on locally

Set the allowed users that these computer will only allow login.  I added the one user as well as administrators and domain admins.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 41763621
Yes saumik ADMINISTRATORS and as the op has he users set as local admins they log in.
0
 
LVL 11

Expert Comment

by:zalazar
ID: 41764631
What you maybe could do is setup a GPO with Restricted Groups or Group Policy Preferences.
In this way you can force that the "Administrators" group only contains the defined users/groups.
The user will still be able to modify the "Administrators" group but every time the policy applies to the computer (by default every 90 minutes), the "Administrators" group is set back to what you defined in the policy.
This will make it much more difficult for the user to keep using the local user account as every time the group policy applies the Administrator permissions for the local account will be revoked.
0
 

Assisted Solution

by:MushroomStamp
MushroomStamp earned 1 total points (awarded by participants)
ID: 41765371
Thanks everyone.  Although not what I wanted to hear, it's what I figured was the case.   I will find another way to skin this cat. I have Cisco Firepower and will go that route. Was just hoping for a GPO way to do this.

p.s. I posted it must be Admin, in order to cut down on lengthy conversation. Some though, want to make it a point anyway.  SO for those.  It is custom software written years ago that has many legacy limitations and 100% requires Admin. I've been IT for 25+, this isn't my first rodeo.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 41765450
Questions should not be deleted just because the answer is You can not
0
 

Author Comment

by:MushroomStamp
ID: 41788522
I never deleted it. Thank you very much. I merely did a close request.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 41788579
No, the correct answer is that with work ANY software can be made to run without being a local admin, you just need to put a LOT of effort into making it.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now