RE: Deny Log on Locally to some accounts through GPO

Marcin and ProADguy,

Thanks for your suggestions,

I have done what you guys suggested. Here is the gpresult

C:\Documents and Settings\svc_exch>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/10/2008 at 1:24:26 PM


RSOP data for ROOT\svc_exch on NLB1 : Logging Mode
---------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise
Edi
tion
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Remote Administration
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and Settings\svc_exch
Connected over a slow link?: No


USER SETTINGS
--------------
CN=svc_exch,OU=Application Accounts,DC=root,DC=local
Last time Group Policy was applied: 11/10/2008 at 1:23:58 PM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps
Domain Name: ROOT
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Denied (Security)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL


I am getting denied (Security) as you guys can see.

Here are GPO settings

Links
Location Enforced Link Status Path
Application Accounts No Enabled root.local/Application
Accounts
Member Servers No Enabled root.local/Member
Servers

This list only includes links in the domain of the GPO.

Security Filtering
The settings in this GPO can only apply to the following groups, users, and
computers:Name
ROOT\App Accounts
ROOT\NLB1$

app accounts is the group containing these accounts and NLB1 is one of the
member servers that I am testing with.

Both of these have Read and Apply group Policy permissions.

Is something incorrect here.

Please suggest.

thanks
Ravs








"ProADGuy" wrote:

These are Computer Policies, put one test machine in "Application Account" OU
and reboot the box. Then try login to Test machine it will work.

If that works then consider linking "RDP Applicaiton Accounts" GPO at Domain
Level so that it flows to all the machines in the domain.

:)
Never tried but you can check what happens if you check the check box "Smart
Card is required for interactive logon" under User properties in AD under
Account Tab under Account Options...


Regards,
ProADGuy


"Ravs" wrote:

We have a lot of application accounts (for enabling applications to
authenticate users through AD or pulling users from AD....these accounts do
NOT run as service....these can be treated as normal user accounts for which
we want to disable interactive logon).

We have seen that some people who have access to these application accounts,
logon to servers using these accounts.
We want to stop that.
In order to achieve this
we have created an OU "Application Accounts" and put all the application
accounts in this OU.
We also created a GPO named "Disable RDP Application Accounts".
I modified these settings in this GPO to achieve my goal (application
accounts should not be able to logon interactively)

GPO Setting
Deny log on locally
Deny log on through Terminal Services

In both the policies I have added the group that contains application
accounts. But with these accounts I am still able to logon locally and
terminal service in which I don't want.

Here are gpresults

C:\Documents and Settings\svc_exch>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/7/2008 at 11:28:05 AM


RSOP results for ROOT\svc_exch on ROOTCLIENT1 : Logging Mode
-------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: ROOT
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\svc_exch
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=ROOTCLIENT1,OU=WPA Computers,DC=root,DC=local
Last time Group Policy was applied: 11/7/2008 at 11:27:25 AM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
WiFi Protected Access
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
ROOTCLIENT1$
Domain Computers


USER SETTINGS
--------------
CN=svc_exch,OU=Application Accounts,DC=root,DC=local
Last time Group Policy was applied: 11/7/2008 at 11:27:28 AM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL

If you notice under User Settings

" The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Not Applied (Empty)"

Why is this happening. The GPO has both the policies defined with the
account added.
Under GPO security filtering also I have the account added.

Am I doing something incorrect? or It cannot be achieved.

Any Help will be appreciated

Thanks
Ravs


.

Relevant Pages

  • Re: GPO not applying over VPN -- Tried everything.
    ... So, that FR GPO ... Group Policy Management solutions at http://www.sdmsoftware.com ... Small Business Server Domain Password Policy ... Filtering: Denied ...
    (microsoft.public.windows.group_policy)
  • Re: GPO not applying over VPN -- Tried everything.
    ... The GPO is linked to a folder redirection OU that the user is in. ... Group Policy Management solutions at http://www.sdmsoftware.com ... Small Business Server Domain Password Policy ... Filtering: Denied ...
    (microsoft.public.windows.group_policy)
  • Re: GPO not applying over VPN -- Tried everything.
    ... If you look at the computer settings the GPO "My Docs Folder ... Group Policy Management solutions at http://www.sdmsoftware.com ... Small Business Server Domain Password Policy ... Filtering: Denied ...
    (microsoft.public.windows.group_policy)
  • Re: GPO not applying over VPN -- Tried everything.
    ... Where is that GPO linked? ... Group Policy Management solutions at http://www.sdmsoftware.com ... Small Business Server Domain Password Policy ... Filtering: Denied ...
    (microsoft.public.windows.group_policy)
  • Re: Disable Web Access to Specific Workstations
    ... ill-advised to assign permissions to individual User or Computer accounts ... application of Group Policy will be unnecessarily ... you are correct in that the GPO setting I mentioned will not meet ... manufacturing MACHINES in that OU. ...
    (microsoft.public.windowsxp.network_web)