How Block Users on machine from logging in Local
I have a group of machines in a particular OU.
1) Users are Admins (Certain software that is run requires this). Written in stone, not up for debate.
2) User has domain login but is choosing to login locally. (Tin foil hat paranoid kind of user)
3) Machines are Laptops
I need to be able to prevent them from logging in Locally... so they are forced to sign into domain. This needs to be done via GPO, so that any machines in OU are affected.
I tried using (in GPO) CompConfig>WinSetting>SecS
The problem is, that also prevents them from signing on with their domain account if they are offline.
So i need to prevent users from logging in to Local without binding up the cache credentials for the domain on laptops.
Laptops are running Windows 10, AD is run on 2012R2
1) Users are Admins (Certain software that is run requires this). Written in stone, not up for debate.
2) User has domain login but is choosing to login locally. (Tin foil hat paranoid kind of user)
3) Machines are Laptops
I need to be able to prevent them from logging in Locally... so they are forced to sign into domain. This needs to be done via GPO, so that any machines in OU are affected.
I tried using (in GPO) CompConfig>WinSetting>SecS
The problem is, that also prevents them from signing on with their domain account if they are offline.
So i need to prevent users from logging in to Local without binding up the cache credentials for the domain on laptops.
Laptops are running Windows 10, AD is run on 2012R2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
John
If you prevent a local user from logging on, it may become necessary to reinstall Windows as you may need a local user for something.
It should actually be:
Allow log on locally: LOCAL SERVICE;NETWORK SERVICE;SYSTEM;DOMAIN1\Dom
but I just noticed that it's not possible unfortunately as Windows will show the message: "Administrators must be granted the logon local right".
One other option could be something with a logon script (at a network location) which checks if the user is local or domain.
In case of a local user a forced logoff could be executed.
Only this will not work when the user works offline or if the user connects the network cable after he has logged on with a local account.
Allow log on locally: LOCAL SERVICE;NETWORK SERVICE;SYSTEM;DOMAIN1\Dom
but I just noticed that it's not possible unfortunately as Windows will show the message: "Administrators must be granted the logon local right".
One other option could be something with a logon script (at a network location) which checks if the user is local or domain.
In case of a local user a forced logoff could be executed.
Only this will not work when the user works offline or if the user connects the network cable after he has logged on with a local account.
Are there AD User accounts apart of the local admins group as well?
Far too often companies say...
Oh it won't run unless you are a local admin..
And IT staff take their word. Do some work, process explorer for a few hours and can get users running almost anything without being a local administrator, just a bit of hard work to figure what access is needed where.
Oh it won't run unless you are a local admin..
And IT staff take their word. Do some work, process explorer for a few hours and can get users running almost anything without being a local administrator, just a bit of hard work to figure what access is needed where.
Kindly take a look at your gpo if this is configured correctly.
Place computer in OU, set GPO: Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on locally
Set the allowed users that these computer will only allow login. I added the one user as well as administrators and domain admins.
Place computer in OU, set GPO: Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on locally
Set the allowed users that these computer will only allow login. I added the one user as well as administrators and domain admins.
Yes saumik ADMINISTRATORS and as the op has he users set as local admins they log in.
What you maybe could do is setup a GPO with Restricted Groups or Group Policy Preferences.
In this way you can force that the "Administrators" group only contains the defined users/groups.
The user will still be able to modify the "Administrators" group but every time the policy applies to the computer (by default every 90 minutes), the "Administrators" group is set back to what you defined in the policy.
This will make it much more difficult for the user to keep using the local user account as every time the group policy applies the Administrator permissions for the local account will be revoked.
In this way you can force that the "Administrators" group only contains the defined users/groups.
The user will still be able to modify the "Administrators" group but every time the policy applies to the computer (by default every 90 minutes), the "Administrators" group is set back to what you defined in the policy.
This will make it much more difficult for the user to keep using the local user account as every time the group policy applies the Administrator permissions for the local account will be revoked.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Questions should not be deleted just because the answer is You can not
ASKER
I never deleted it. Thank you very much. I merely did a close request.
No, the correct answer is that with work ANY software can be made to run without being a local admin, you just need to put a LOT of effort into making it.