IslanderIT
asked on
Prevent a user from logging on to a physical server?
How do I prevent an particular domain admin user from signing in on the actual physical server ?
Rob Knight
Windows devices have an allow local login policy option - if you create a group of users who you want to logon locally and don't include that user, then they would be blocked from logging on?
So you can either edit the local server policy or do it via an AD group policy.
The other option is to add the user to the Deny Log On Locally policy
The other option is to add the user to the Deny Log On Locally policy
These can be found under Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment
Easiest way would be to create a local group called deny logins, add user to that group and then add the group to the Deny Log on Locally policy.
Easiest way would be to create a local group called deny logins, add user to that group and then add the group to the Deny Log on Locally policy.
You can add the domain admin in question to the deny local login policy on the server, if it isn't a domain controller. If it is a domain controller, the policy applies to ALL domain controllers.
If the person can't be trusted to login to the server, or can't be trusted to NOT login to the server, why are they domain admin?
Note that a domain admin can always undo whatever technical obstacle you try to put in, as they have rights to make any change necessary.
If the person can't be trusted to login to the server, or can't be trusted to NOT login to the server, why are they domain admin?
Note that a domain admin can always undo whatever technical obstacle you try to put in, as they have rights to make any change necessary.
Doing things to prevent DOMAIN ADMINS from logging on is unwise. You run the risk of locking yourself out of the system. No one should be a domain admin who shouldn't be a domain admin. If you want to block him, then he shouldn't be a domain admin.
ASKER
The person has admin right but I don't want him to login to the physical server . What I did was . I went to my domain controller > Local Security policy > User Assignment > Deny log on locally > then I added his name here . Did do this right ?
The physical server is a DC? You will now have prevented them from logging into every DC...which then begs the question...why are they domain admin to begin with? Perhaps they can be given less permissions.
ASKER
Yes the physical server is a DC. I wan't that person to be able to login from any computer so he can install an application but I don't want that person to login to the physical server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great I will look into that . Again thanks . I really appropriate your assistance.
ASKER
Thank you everyone :)
You can still leave him as an Admin but in his account you may add the computers he can actually log in by opening user properties->account->log on to... and select all computers this person has access to.