Re: Preventing logon to local accounts

You can use "Allow log on locally" Group Policy setting (Computer
Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignments) and replace local Users with
Domain Users in the listing of groups in this category. Just make
sure you test this on target PCs to avoid any collateral
damage...

Perhaps you need to put this back to the default, domain users group are by
default a member of the local users on a workstation, this doesnt mean they
can logon locally, as long as they only have a domain user account.

If you have rdp enabled and the group specified in the remote desktop users
group on the local machine then there should be no problem. I recommend that
you reverse the change above, check that rdp is enabled on the workstation,
right click computer, properties, remote tab, from here check that the box
for remote desktop is ticked, then make sure the group is added.


Regards,

Jamie

"BeckyBoo123" wrote:

Hi Guys, thanks for the advise. I am on information overload now!

Connecting to what? Do you have a terminal server? That would be a
good idea if you have a lot of remote users.

Ok, just to sum it all up, (I think this is right) we have 2 AD server's and
6 Terminal Servers. We have several hundred PC users which connect to TS's
for access to our profit system. Users also use their PC's for email access
and other things locally, however we are trying to gradually add these PC's
to the domain.
So, certain users use VPN to connect up from home. They can connect to the
TS applications with no problem, and they can connect up to their local
account by using RDC, but on the test machine that I have connected to the
domain and removed the local account on, I can't connect to it via RDC
(emulating the method they would use from home).

You can use "Allow log on locally" Group Policy setting (Computer
Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignments) and replace local Users with
Domain Users in the listing of groups in this category. Just make
sure you test this on target PCs to avoid any collateral
damage...

This was originally set to list the specific user only, so I have now
changed it to display the domain user.

Create a GPO, filter this with a security group that contains the
workstations that you would like to enable RDP.

Enable RDP on the selected workstations:

1. In the group policy object, click to expand Computer Configuration,click
to expand Administrative Templates, click to expand Windows Components, >>>>and
then click to expand Terminal Services.

2. Double-click the "Allow users to connect remotely using Terminal
Services" policy.

3. Set the policy to Enable, and then click OK


however instead of visiting each workstation


goto windows settings/security settings/restricted groups/right click add
new group/add your global security group that contains the users that you
want to access the workstations using rdp/Select this group is a member
of:choose remote desktop user

This setting was already in place, but I checked it and it all looks in order.

The only things that I have noticed is that the Domain computer in question
is activley a member of 2 groups, RDP's and Desktop users (desktop users is
the policy I have been working on to customize the domain PC's).

Could this be the cause?





.

Relevant Pages

  • Re: Preventing logon to local accounts
    ... Domain Users in the listing of groups in this category. ... default a member of the local users on a workstation, ... If you have rdp enabled and the group specified in the remote desktop users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Preventing logon to local accounts
    ... The firewall is disabled on the workstation. ... once connected, expand local users and groups, then select groups, open ... Domain Users in the listing of groups in this category. ... If you have rdp enabled and the group specified in the remote desktop users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem after removed "domain users" from "local administrator"s g
    ... We finally decided to remove the "domain users" group from the "local administrators" group on the workstations and since doing that we have a strange problem happening. ... Some programs simply cannot be used without administrator privileges, ever, which is an excellent reason to switch to software written by competent people. ... The right answer, in hindsight, was to add Domain Users to the Local Users group. ...
    (microsoft.public.windows.server.sbs)
  • Re: Password protect web page
    ... By default Domain Users are also members of Local Users group. ... Microsoft MVP - Windows Security ... Control, Support Group has Read and Execute, CREATOR OWNER has Special ...
    (microsoft.public.inetserver.iis.security)
  • Re: Webserver and FTP user authentication
    ... You can either authenticate for local users OR domain users, ... This is set by the DefaultDomain registry value. ...
    (microsoft.public.windowsce.app.development)
Loading