Re: Disabling Interactive Logon Against Security Group

Paul has shown you where to locate that policy.

There are however some potential issues to consider.

If you set this in a GPO then the list that is to be denied that you
provide in that GPO is the one, complete list used for that user
right setting on all machines subject to that GPO. In other words,
if this setting is being used on some machines, the value provided
in the GPO will replace what exists on those machines. If you look,
this is used in a default on XP clients for a couple/few accounts, so
those would no longer be denied after the GPO is applied if your
GPO just says to deny your CustomWebUser group.

One route to avoid this is to cause a machine local group to be
defined on each machine "DenyLocalLogin" and placed into the
machine's user right to deny interactive login. Then, you can
control the membership in this machine local group using the
restricted group capability from your GPO. Similar to the issue
with the user right, if you do not want to have your GPO take
control over the complete and total membership in the machine
local group then you can use technique outlined in this KB
http://support.microsoft.com/kb/810076




"Sam Gaw" <SamGaw@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:52FDD057-DCD7-4A21-AD50-3F3DA71CB191@xxxxxxxxxxxxxxxx
Svyatoslav,

Thanks for getting back to me so quickly; I'd thought about that myself
but
the problem is I can't actually find the policy anywhere. Any ideas?


--
Regards,
Sam Gaw

http://www.samgaw.co.uk


"S. Pidgorny <MVP>" wrote:

Add the group containing to the "Deny log on locally" policy on the
domain
level?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Sam Gaw" <SamGaw@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AFEC2F64-F0D4-42B1-A8AF-E461165911D4@xxxxxxxxxxxxxxxx
I was wondering if anybody knew of a way to disable interactive logon
privilages against specific OU/User Groups rather than against
computers?

Essentially I want to be able to provide domain accounts to users to
access
a web app published on the WAN but prevent them from accessing the
domain
via
any of our computers/interactive logon.

Any help or advice would be much appreciated.

--
Regards,
Sam Gaw

http://www.samgaw.co.uk





.

Relevant Pages

  • Local GPO refreshes outside of refresh interval
    ... We are experiencing an unique situation where local group ... we are talking about one particular policy: ... a homepage on users and therefore, we never set this policy on the AD GPO. ... Even though we knew that group policies are refreshed every 90 minutes on ...
    (microsoft.public.windows.group_policy)
  • Re: Local GPO refreshes outside of refresh interval
    ... are changed via the GPO or local policy. ... > policies are getting reapplied only after what seems to be certain changes ... we are talking about one particular policy: ... > which was still set via local Group Policy. ...
    (microsoft.public.windows.group_policy)
  • Re: Local GPO refreshes outside of refresh interval
    ... Some policies, including IE policies, have a checkbox that defines if this ... it should apply EVEN if the value defined in GPO did not change since the ... we are talking about one particular policy: ... > which was still set via local Group Policy. ...
    (microsoft.public.windows.group_policy)
  • Re: Using GPO to control local group membership
    ... Apart from having a seperate GPO for each computer and each computer in its ... for an explanation of of the built in groups in Windows XP. ... > control my end users local group membership. ... > account for example to the local Administrators group on each machine in ...
    (microsoft.public.win2000.group_policy)
  • Re: Disabling Interactive Logon Against Security Group
    ... Essentially this is to secure half a dozen guest accounts on domain of ... question "disable interactive logon privilages against specific OU/User ... If you set this in a GPO then the list that is to be denied that you ... One route to avoid this is to cause a machine local group to be ...
    (microsoft.public.security)