troubleshooting Question
Block all 'Domain Users' from logon to 30 critical PCs except a group of 40 authorized users
https://www.experts-exchange.com/questions/29056334/Steps-to-block-AD-IDs-from-login-to-30-critical-PCs.html
I'll need to revisit the above EE post : I've just implemented the simplest solution by Lee W ie
ID: 42292327 by removing "Domain Users" from the local "Users" group on 2 of the PCs, rebooted them but using one of the 'unauthorized' AD Id, could still logon to the 2 critical PCs, so this solution did not work. Why is it not working as Lee W suggested?
Under the local "Users" group, there are 2 more members (after removing "Domain Users"): could these 2 groups be the reason why the unauthorized AD Ids could still login?
1. NT AUTHORITY\Authenticated Users (S-1-5-11)
2. NT AUTHORITY\INTERACTIVE (S-1-5-4)
I guess it's not safe to remove the above 2 from local "Users" group, right?
I'm looking for the next simplest solution, so which among them are easiest
considering there are 30 PCs with 40 authorized staff?
Currently if we issue "Net user /domain any_AD_Id" , output will show
a line "Could logon to any workstations" : guess this is (one of) the problem
I'll need to revisit the above EE post : I've just implemented the simplest solution by Lee W ie
ID: 42292327 by removing "Domain Users" from the local "Users" group on 2 of the PCs, rebooted them but using one of the 'unauthorized' AD Id, could still logon to the 2 critical PCs, so this solution did not work. Why is it not working as Lee W suggested?
Under the local "Users" group, there are 2 more members (after removing "Domain Users"): could these 2 groups be the reason why the unauthorized AD Ids could still login?
1. NT AUTHORITY\Authenticated Users (S-1-5-11)
2. NT AUTHORITY\INTERACTIVE (S-1-5-4)
I guess it's not safe to remove the above 2 from local "Users" group, right?
I'm looking for the next simplest solution, so which among them are easiest
considering there are 30 PCs with 40 authorized staff?
Currently if we issue "Net user /domain any_AD_Id" , output will show
a line "Could logon to any workstations" : guess this is (one of) the problem
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 7 Answers and 14 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.