Re: How to deny log on locally
- From: "Cary Shultz" <cwshultz@xxxxxxxx>
- Date: Mon, 13 Feb 2006 08:50:58 -0500
Youssef,
There is an easy way to make this happen. You are correct in that you can
do this via GPO.
Look at the 'Deny logon locally'. Here is an article.
http://mcpmag.com/columns/article.asp?EditorialsID=833
The concept here is the same as what you want to accomplish. Well, the
first part. The second part is something that I would strongly suggest that
you re-think. There is no reason for domain users to log on locally
(meaning, that instead of logging on with his/her Domain user account object
he/she logs on local to such and such a machine with a local user account).
Consider this example for a second!
You have four departments in your environment: Finance, Accounting,
Marketing/Sales and Customer Service.
Let's just say that you do not want anyone from Customer Service to be able
to log on to any of the machines in the Finance department or in the
Accounting department. So, you do this:
You create four OUs for the different computers: one called Finance
Workstations, one called Accounting Workstations, one called MKTG/Sales
Workstations and one called CS Workstations. You place all of the computer
account objects from the Finance department in the Finance Workstations OU,
all of the computer account objects from the Accounting department in the
Accounting Workstations OU, etc. You already have four security groups in
place (one for the Finance guys, one for the Accounting guys, one for the
Marketing/Sales guys and one for the CS guys) and we are going to use them.
Well, one of them.
Go to the Finance Workstations OU and create a GPO. See the article for the
who,what, where and how. You will use the Customer Service Security Group -
that already existed - in this GPO.
Reboot the systems. Now, try to log on to the domain using one of the user
account objects from a Customer Service user. It will not work. You will
get a message stating something to the effect that this user account object
is not allowed to logon....
But, I am not sure that this is what you mean....
If you are asking with #1 how do you prevent users from logging on to a
machine locally (meaning, using a local user account) then I am not sure how
you prevent this, other than making sure that they do not know what the
local Administrator password is so that they can not log on as that and then
create their own local user account. Also, making sure that their domain
user account object is not part of the local Administrators group......
If that is the case then consider using another GPO to change this. Look at
Restricted Groups. This is a pretty restrictive Policy and if you do use
this (should it apply) be aware that the default behavior is to flush the
members of the current "focus group" - in this case, the local
Administrators group - and to replace the membership with whatever
users/groups you specify. You want to remember to include as one of the
groups the Domain Admins group. Otherwise you are creating a potential
nightmare for yourself.
--
Cary W. Shultz
Roanoke, VA 24012
"youssef" <youssef@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A88AA816-45E3-4C2B-BE74-9C38A9FF6973@xxxxxxxxxxxxxxxx
hi every one
i have two questions :
1. How can i prevent users in OU from log on to their local machines by
using group policy ?
2. If a user wants to log on locally to his machine without logoning to
the
domain how can i control or apply a policy to to his local machine .
thank you
youssef
.
- Prev by Date: Re: server in wrong site
- Next by Date: Re: NTBACKUP
- Previous by thread: Re: Local, Global, Universal....
- Next by thread: Re: NTBACKUP
- Index(es):
Relevant Pages
|
Loading
