Block all 'Domain Users' from logon to 30 critical PCs except a group of 40 authorized users

I'll need to revisit the above EE post : I've just implemented the simplest solution by Lee W ie  
ID: 42292327  by removing "Domain Users"  from the local "Users" group on 2 of the PCs, rebooted them but using one of the 'unauthorized' AD Id, could still logon to the 2 critical PCs, so this solution did not work.  Why is it not working as Lee W   suggested?

Under the local  "Users" group, there are 2 more members (after removing "Domain Users"):  could these 2 groups be the reason why the unauthorized AD Ids could still login?
  1. NT AUTHORITY\Authenticated Users (S-1-5-11)
I guess it's not safe to remove the above 2 from local "Users" group, right?

I'm looking for the next simplest solution, so which among them are easiest
considering there are 30 PCs with 40 authorized staff?

Currently if we issue  "Net user /domain   any_AD_Id" , output will show
a line "Could logon to any workstations" : guess this is (one of) the problem
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RobertSystem AdminCommented:
I would create a security group with the users that should be allowed to logon to the computers then create a GPO and apply it to the machines. The policy would need to set the "allow logon locally" to be only that security group.
An affirmative approach is better and easier to implement compared to trying to reverse access

Likely, the two users in question had membership in a group that at some point became authorized.

The other difficulty inherent to a situation you find your self in.
I know users can be limited to the computers to which they can login, have not looked wherhe the computer object can be set within ad which users, groups are authorized to access this system.
Lee W, MVPTechnology and Business Process AdvisorCommented:
1. NT AUTHORITY\Authenticated Users (S-1-5-11)
I guess it's not safe to remove the above 2 from local "Users" group, right?

Why wouldn't it be?

As long as the user is a member of AT LEAST 1 group in the list of Users, that should be all you need.

I wouldn't remove Interactive, but I would definitely remove Authenticated Users - Any user that logs in is authenticated!

Further, it's extremely unwise implementing ANY forum recommendation without TESTING first.  And testing is easy - setup a VM and TEST!
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

MacleanSystem EngineerCommented:
I haven't read the article mentioned but what I would do is create 1 GPO for special PC access, and under security filtering remove all options, then add a AD security group containing the 30 PC's in question.
When done edit the GPO and go to

Computer Configuration>>Policies>>Windows Settings>>Security Settings>>Local Policies.

In here select "Allow logon locally" and select the user group allowed to access the PC's targeted through the security filtering group.
Alternatively fill in the "Deny Log on locally" and select the user group of users not allowed to log on and do not use the "Allow Log in locally"
Deny is more powerful so doing it the alternative way might force what you are looking for.

I would assume that to work. Do test first of course to a test PC.
sunhuxAuthor Commented:
> I would definitely remove Authenticated Users - Any user that logs in is authenticated!
If we remove the above, then the authorized payment staff also won't be able to login then?
So do we still remove this??

I'm not Wintel-trained: care to provide step by step (with screenshots attached here) instructions?
MacClean's instructions are quite detailed but will help if screen shots are attached
Shaun VermaakTechnical Specialist IVCommented:
Lee W, MVPTechnology and Business Process AdvisorCommented:
If we remove the above, then the authorized payment staff also won't be able to login then?
So do we still remove this??

Of course... and you ADD the payment staff's group...
You have to be careful with the allow log on to include all the requisite groups security group and administrators..

Another option is to use restricted groups on these systems, kicking out all users from users to only include a security group.

In either situation a member of this security group is authorized to access all the restricted PCs.  If you need to more tightly manage access, this means you have to have a security group for each system where each system will only allow local login to members of the group named for the computer.
This way you more tightly control the number of individual who can have access to each system.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Let me rephrase, what I think arnold is saying.

Instead of specifying each group that can access the machine, create a SPECIAL group called (for example) Restricted Computer Access.  Then ONLY members of that group can log in to those 30 critical machines.  Then you put the 40 authorized users in that one group and it doesn't matter if they are payment groups or anything else...
Thanks lee,

For sake of simplicity you have three systems to which restricted access is needed.

You either create a single secure_my_systems and this group is the allow local login on each of the three systems

A more controlled
Each system will have its own security group authorizing access.
This way only members of sevurity_system1 will be allowed to login into system1.
Potentially excluding administrative users unless specifically authorized.

It all depends on requirement and level of security you now have to apply.
Potentially those systems are sensitive such that granting a significant

Another possibility is to use smartcards and on,y a user authorized that way will be able to access.

Two factor auth with key fab ..........
sunhuxAuthor Commented:
So with the instructions from Arnold & Lee (the last 3 above), do I still need to:
a) create an OU to group these 30 critical PCs ?  (this is rather complicated for me to comprehend as a non-Wintel person)
b) remove the following  from being a member of the local "Users" group :
     1. NT AUTHORITY\Authenticated Users (S-1-5-11)  
The difficulty as noted is you wish to impose restrictions after the fact.
what is the issue, organization
You could use an AD security group, restricted_computers
Add these computers as members of this security group
Create a GPO computer that changes the allow local logon on to the created security group Authorized_users_to_access_servers of which only individuals authorized access.
Using the security filter as to which systems this Computer GPO applies to you would replace the authenticated_user with restricted_computers

In this situation, a record has to be maintain to add a new system that serves this role/function to the restricted_computers security group in a similar way one ould have if there was a specific OU into which the system would need to be placed into.

If you have a forest, creating similar Branch_Restircted_system_OU  into which theses systems need to be placed into...during the upgrade cycles.
MacleanSystem EngineerCommented:
Open Group Policy Management & Right click Group Policy Objects to select "New"

Create New GPO
On the new GPO under the tab Scope, remove authenticated users and put in the group name or the PC names on which you wish to allow special users.

Right click the new GPO and select EDIT, then browse down to Computer Configuration>>Policies>>Windows Settings>>Security Settings>>Local Policies>>User Rights Assignment & select "Access this computer from the network". then when the option is highlighted either double click it to edit, or right click & select properties

Access from network
On adding user or group select who is allowed to access the PC over the network.
e.g. Administrators and the group of users you authorized. Click "Check name" as well to make sure what you typed is correct.
Mine is an example showing local user group administrators. If you use a domain group I would expect to see "DOMAIN\Special Users" or whatever the group is named.

When done browse the AD for your test OU Folder containing once of the restricted PC's, link the policy, wait a few minutes for replication (15 usually works) reboot the test PC, and try to log in as a non authorized user.
If blocked, test an authorized users.
If both successful you can apply the GPO to the remaining systems. If not post here for advise.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Very much appreciated Mclean.

Give me 2 more days & I'll close this
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.