troubleshooting Question

Block all 'Domain Users' from logon to 30 critical PCs except a group of 40 authorized users

Avatar of sunhux
sunhux asked on
Windows OSActive DirectoryOS Security
14 Comments1 Solution373 ViewsLast Modified:
https://www.experts-exchange.com/questions/29056334/Steps-to-block-AD-IDs-from-login-to-30-critical-PCs.html

I'll need to revisit the above EE post : I've just implemented the simplest solution by Lee W ie  
ID: 42292327  by removing "Domain Users"  from the local "Users" group on 2 of the PCs, rebooted them but using one of the 'unauthorized' AD Id, could still logon to the 2 critical PCs, so this solution did not work.  Why is it not working as Lee W   suggested?

Under the local  "Users" group, there are 2 more members (after removing "Domain Users"):  could these 2 groups be the reason why the unauthorized AD Ids could still login?
  1. NT AUTHORITY\Authenticated Users (S-1-5-11)
  2. NT AUTHORITY\INTERACTIVE (S-1-5-4)
I guess it's not safe to remove the above 2 from local "Users" group, right?


I'm looking for the next simplest solution, so which among them are easiest
considering there are 30 PCs with 40 authorized staff?

Currently if we issue  "Net user /domain   any_AD_Id" , output will show
a line "Could logon to any workstations" : guess this is (one of) the problem
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 14 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 14 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros