Re: deny logon locally for other domain users

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Dmitry Korolyov [MVP] (d__k_at_removethispart.mail.ru)
Date: 04/05/04 

Date: Mon, 5 Apr 2004 04:50:33 -0700

I believe the actual problem is in effective settings of the policy. I
assume you have edited "Deny Logon Locally" settings in local security
policy on these PCs. However, in Default Domain Policy this setting is also
defined, and the list is empty. Since domain policies override local
policies, the effective setting is that noone is denied local (interavtive)
logon privilege.
So yes, you have to edit domain policy. In fact, it would be a good idea to
create a policy specially for that purpose, define the setting(s) in that
policy, and apply it to all required computer accounts.

"GM" <GM@NOSPAM.NO> wrote in message news:c4ra4n$5mo$1@gaudi2.UGent.be...
> Hi,
>
> I want to make my computer (OS=Win2KPro) only accessible for certain
> domain users. The domain my PC is on, is a Win2000 domain.
> So on my PC, I created a group DenyLogon and added all those users/groups
> who I want to deny to login. So I added this group DenyLogon to the Deny
> Logon Locally policy of my PC ... but, this approach doesn't seem to work
> (yes I rebooted my computer after wards) :-(
>
> Anyone an idea what I did wrong ? Or can this only be accomplished by
> editing the domain policies ?
>
> Thanx in advance,
>
> Gaetan Martens
>

Relevant Pages

  • Re: GPO Replication to DMZ
    ... communicate with the domain controller in order for any Local Security ... Policy changes to be effective to make sure that no domain/OU settings will ... Effective settings never get set on the ... Local Security Policies never become active. ...
    (microsoft.public.win2000.security)
  • Re: Machine policy when user logged onto local machine
    ... Interesting point about effective settings. ... NB most of the time I'm logged in on a local machine account, ... had just been rebooting the client to force it to take the new policy. ... I've disabled the security policy for the moment until I've got a better ...
    (microsoft.public.win2000.security)
  • Re: Effect of "reversible encryption..." on Windows XP.
    ... > in the effective settings it is enabled. ... > hash present in registry is same irrespective of this setting. ... > creating new users after enabling/disabling the policy to check if the ... Don't you have to change the password after enabling this policy? ...
    (microsoft.public.security)
  • Re: shutdown permissions
    ... It should work as you described then, especially if effective settings show the ... If you have an XP Pro machine in the domain you can use the ... Group Policy Management Console on it to manage W2K domain policy ... The 2 rights were left as not defined. ...
    (microsoft.public.win2000.security)
  • Re: hiding contacts from directory search (LDAP)
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... policy and denying that right on the policy. ... the majority that I want to deny makes up about 80-90%. ...
    (microsoft.public.windows.server.active_directory)