Re: Deny Log on Locally to some accounts through GPO
- From: "Marcin" <marcin@xxxxxxxxxxxxxxxx>
- Date: Fri, 7 Nov 2008 14:55:54 -0500
Ravs,
if you want to have these GP settings to take effect, you need to:
- specify target user accounts as part of the individual GP settings (which
you already have done)
- link the GPO containing these settings to an OU where the target computer
accounts reside (which you haven't done yet)
hth
Marcin
"Ravs" <Ravs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E38EF998-7076-4862-9EF9-8F3EE180F111@xxxxxxxxxxxxxxxx
The policy is under computer settings but it says
Deny log on locally
This security setting determines which users are prevented from logging on
at the computer. This policy setting supersedes the Allow log on locally
policy setting if an account is subject to both policies.
Default: None.
Important:
If you apply this security policy to the Everyone group, no one will be
able
to log on locally
Deny log on through Terminal Services
This security setting determines which users and groups are prohibited
from
logging on as a Terminal Services client.
Default: None.
Important:
This setting does not have any effect on Windows 2000 computers that have
not been updated to Service Pack 2.
So it appears to me these policies apply to users and not computers based
on
the description.
I may be wrong though. Now if I agree with you and apply these policies to
the computers that does not make sense to me.
Please suggest.
Much appreciated
thanks
Ravs
"Marcin" wrote:
Ravs,
Both GP settings you refer to are part of the Computer (ather than User)
Configuration - so they need to be linked to the OU where target computer
accounts reside (rather than the "Application Accounts" users)...
hth
Marcin
"Ravs" <Ravs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F293F580-6062-4A31-97EC-25225C82D2AD@xxxxxxxxxxxxxxxx
We have a lot of application accounts (for enabling applications to
authenticate users through AD or pulling users from AD....these
accounts
do
NOT run as service....these can be treated as normal user accounts for
which
we want to disable interactive logon).
We have seen that some people who have access to these application
accounts,
logon to servers using these accounts.
We want to stop that.
In order to achieve this
we have created an OU "Application Accounts" and put all the
application
accounts in this OU.
We also created a GPO named "Disable RDP Application Accounts".
I modified these settings in this GPO to achieve my goal (application
accounts should not be able to logon interactively)
GPO Setting
Deny log on locally
Deny log on through Terminal Services
In both the policies I have added the group that contains application
accounts. But with these accounts I am still able to logon locally and
terminal service in which I don't want.
Here are gpresults
C:\Documents and Settings\svc_exch>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool
v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 11/7/2008 at 11:28:05 AM
RSOP results for ROOT\svc_exch on ROOTCLIENT1 : Logging Mode
-------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: ROOT
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\svc_exch
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=ROOTCLIENT1,OU=WPA Computers,DC=root,DC=local
Last time Group Policy was applied: 11/7/2008 at 11:27:25 AM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
WiFi Protected Access
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
ROOTCLIENT1$
Domain Computers
USER SETTINGS
--------------
CN=svc_exch,OU=Application Accounts,DC=root,DC=local
Last time Group Policy was applied: 11/7/2008 at 11:27:28 AM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
If you notice under User Settings
" The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Not Applied (Empty)"
Why is this happening. The GPO has both the policies defined with the
account added.
Under GPO security filtering also I have the account added.
Am I doing something incorrect? or It cannot be achieved.
Any Help will be appreciated
Thanks
Ravs
.
- References:
- Prev by Date: Re: Is there a way to fix this?
- Next by Date: Re: General Tab Permissions
- Previous by thread: Re: Deny Log on Locally to some accounts through GPO
- Next by thread: RE: Deny Log on Locally to some accounts through GPO
- Index(es):
Relevant Pages
|
Loading
