Re: User Login

From: tashi <asd@xxxxxx>
Date: Tue, 12 Aug 2008 10:15:29 +0200

Bruce Sanderson schrieb:

For a domain user account to be used to logon at a domain member, that user account must have the "logon locally" right.

Members of the local Administrators, Power Users and Users groups get this right automatically.

By default, the domain group called Domain Users is a member of the local Users group on all computers; this is usually why any domain user can logon at any domin member computer.

So, to prevent a domain user account from being used to logon at a domain member you have some choices:

1. put those user accounts into domain group and apply a GPO to the OU containing the computer accounts that denies the "logon locally" right to that group
Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Deny log on locally - add the group containing the "email only" user accounts.

2. remove the "email only" user accounts from the Domain User group and any group that is a member of Domain Users. Note that when a new domain user account is created, it gets automatically added to the Domain Users group, so you need remove this group from the Member of list for any "email only" user accounts created in the future.

3. remove the Domain Users group from the local Users group on the workstation computers and add a group containing all the user accounts that should be able to logon locally (essentially all users except the "email only" user accouts). You can set the membership of local user groups on domain member computers with a GPO using Restricted Groups (Computer Configuration, Windows Settings, Security Settings, Restricted Groups).

I got two questions. Why I have to add the "email only" group to the GPO rights. It`s not enough when the GPO is linked to the OU contains the User Accounts?

And I can`t remove the users from the Domain User Group. It tells me:

The primary group cannot be removed. Set another group as primary if you want to remove this one.
.

Follow-Ups:
- Re: User Login
  - From: Bruce Sanderson

References:
- User Login
  - From: Neil
- Re: User Login
  - From: Meinolf Weber
- Re: User Login
  - From: Neil
- Re: User Login
  - From: Meinolf Weber
- Re: User Login
  - From: Neil
- Re: User Login
  - From: Bruce Sanderson

Prev by Date: Re: server 2000 (single domain name) to server 2008 migration + domain rename
Next by Date: keytab multiple SPN-s
Previous by thread: Re: User Login
Next by thread: Re: User Login
Index(es):
- Date
- Thread

Relevant Pages

Re: Local User allowed to install Printers
... member of the local users group be given explicit rights to install print ... Do you have a way to allow this and still keep the domain user a ...
(microsoft.public.win2000.group_policy)
Re: Local User allowed to install Printers
... > member of the local users group be given explicit rights to install print ... Do you have a way to allow this and still keep the domain user a ...
(microsoft.public.win2000.group_policy)
Re: how to create domain policy to restrict users ???
... not everything can be done via gpo... ... > so just don't create any local user accounts. ... or Administrators as appropriate) manually on each workstation. ... >> It is a good idea to disable local user, so user have to use domain user ...
(microsoft.public.windows.group_policy)
Re: Prevent user to install software
... >member of the computer's local Administrators group how ... >domain user account could be prevented from installing ... If your domain user account object is a member ... >assuming that you are trying to install software and are ...
(microsoft.public.win2000.group_policy)
Re: Security in hosted environment
... to utilize user groups to go together with the user accounts. ... > All member sites are in a folder called members, ... > write permissions in the member folders and nowhere else, ... > like for example the SaveAs in ADODB.Recordset or the ServerXML objects ...
(microsoft.public.inetserver.iis.security)