How Block Users on machine from logging in Local

Posted on 2016-08-19
Last Modified: 2016-09-26
I have a group of machines in a particular OU.

1) Users are Admins (Certain software that is run requires this). Written in stone, not up for debate.
2) User has domain login but is choosing to login locally. (Tin foil hat paranoid kind of user)
3) Machines are Laptops

I need to be able to prevent them from logging in Locally... so they are forced to sign into domain.  This needs to be done via GPO, so that any machines in OU are affected.

I tried using  (in GPO) CompConfig>WinSetting>SecSetting>LocalPolicy>UserRight>Deny log on locally

The problem is, that also prevents them from signing on with their domain account if they are offline.

So i need to prevent users from logging in to Local without binding up the cache credentials for the domain on laptops.

Laptops are running Windows 10,  AD is run on 2012R2
Question by:MushroomStamp
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +3
LVL 96

Assisted Solution

by:Experienced Member
Experienced Member earned 166 total points (awarded by participants)
ID: 41763030
Users are Admins (Certain software that is run requires this). Written in stone, not up for debate. User has domain login but is choosing to login locally

So i need to prevent users from logging in to Local

If I am the admin of a machine (domain or local), I can do whatever I want including making a new user account to log in however I want.

So I do not think you can realistically do what you want.
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 166 total points (awarded by participants)
ID: 41763051
1)....  I have never found a piece of software that ACTUAlLY needs a user to be a local admin. There is a way 99.99% of the time to create a policy that will allow it to run if you know what to do.
Otherwise, as John said, an admin on a computer can do as then please.
LVL 12

Accepted Solution

zalazar earned 167 total points (awarded by participants)
ID: 41763087
I agree with John here that it will be quite difficult because the user is also Administrator.

You could try to see if it's possible to set a GPO to only allow only allow domain users and system accounts to "Allow log on locally".
Allow log on locally: LOCAL SERVICE;NETWORK SERVICE;SYSTEM;DOMAIN1\Authenticated Users
This has the consequence that any local user is not able to logon anymore.
Also not in case the domain is not available and troubleshooting is needed.
It might also have an impact on some Windows functions so therefore please test it first on a test laptop.
Because of these consequences I would actually not recommend this setting.

About that the user can't sign-in when they are offline.
The users should logon at least once while they are on the network.
After that the account password will be cached and they should be able to logon also with their domain account while they are offline.
Setting: Interactive logon: Number of previous logons to cache in case domain controller is not available, the default value is 10.
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 96

Expert Comment

by:Experienced Member
ID: 41763092
If you prevent a local user from logging on, it may become necessary to reinstall Windows as you may need a local user for something.
LVL 12

Expert Comment

ID: 41763132
It should actually be:
but I just noticed that it's not possible unfortunately as Windows will show the message: "Administrators must be granted the logon local right".

One other option could be something with a logon script (at a network location) which checks if the user is local or domain.
In case of a local user a forced logoff could be executed.
Only this will not work when the user works offline or if the user connects the network cable after he has logged on with a local account.
LVL 10

Expert Comment

by:Tim Edwards
ID: 41763144
Are there AD User accounts apart of the local admins group as well?
LVL 37

Expert Comment

by:Neil Russell
ID: 41763162
Far too often companies say...

Oh it won't run unless you are a local admin..

And IT staff take their word. Do some work, process explorer for a few hours and can get users running almost anything without being a local administrator, just a bit of hard work to figure what access is needed where.

Expert Comment

by:saumik belel
ID: 41763617
Kindly take a look at your gpo if this is configured correctly.

Place computer in OU, set GPO:  Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on locally

Set the allowed users that these computer will only allow login.  I added the one user as well as administrators and domain admins.
LVL 37

Expert Comment

by:Neil Russell
ID: 41763621
Yes saumik ADMINISTRATORS and as the op has he users set as local admins they log in.
LVL 12

Expert Comment

ID: 41764631
What you maybe could do is setup a GPO with Restricted Groups or Group Policy Preferences.
In this way you can force that the "Administrators" group only contains the defined users/groups.
The user will still be able to modify the "Administrators" group but every time the policy applies to the computer (by default every 90 minutes), the "Administrators" group is set back to what you defined in the policy.
This will make it much more difficult for the user to keep using the local user account as every time the group policy applies the Administrator permissions for the local account will be revoked.

Assisted Solution

MushroomStamp earned 1 total points (awarded by participants)
ID: 41765371
Thanks everyone.  Although not what I wanted to hear, it's what I figured was the case.   I will find another way to skin this cat. I have Cisco Firepower and will go that route. Was just hoping for a GPO way to do this.

p.s. I posted it must be Admin, in order to cut down on lengthy conversation. Some though, want to make it a point anyway.  SO for those.  It is custom software written years ago that has many legacy limitations and 100% requires Admin. I've been IT for 25+, this isn't my first rodeo.
LVL 37

Expert Comment

by:Neil Russell
ID: 41765450
Questions should not be deleted just because the answer is You can not

Author Comment

ID: 41788522
I never deleted it. Thank you very much. I merely did a close request.
LVL 37

Expert Comment

by:Neil Russell
ID: 41788579
No, the correct answer is that with work ANY software can be made to run without being a local admin, you just need to put a LOT of effort into making it.

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Let's recap what we learned from yesterday's Skyport Systems webinar.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question