Re: Disabling Interactive Logon Against Security Group
- From: Sam Gaw <SamGaw@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 14 Aug 2006 14:50:02 -0700
Thanks for the replies, to be honest though I was hoping to avoid this
approach which is why I wasn't quite sure of the initial reply.
Essentially this is to secure half a dozen guest accounts on domain of
50,000+ so that they may access a web app so to modify the security policies
this way is in my opinion a little drastic and why I original phrased my
question "disable interactive logon privilages against specific OU/User
Groups rather than against computers?"
I haven't had a chance yet but when I return to the office tomorrow I was
thinking of creating the accounts in the same sort of manner as I would a
service account given that other than SQL it's possible to prevent
interactive logons with DSAs.
Has anyone tried this before? I had assumed that this would have been fairly
common practice in anywhere that followed least-privilaged designs.
--
Regards,
Sam Gaw
http://www.samgaw.co.uk
"Roger Abell [MVP]" wrote:
Paul has shown you where to locate that policy..
There are however some potential issues to consider.
If you set this in a GPO then the list that is to be denied that you
provide in that GPO is the one, complete list used for that user
right setting on all machines subject to that GPO. In other words,
if this setting is being used on some machines, the value provided
in the GPO will replace what exists on those machines. If you look,
this is used in a default on XP clients for a couple/few accounts, so
those would no longer be denied after the GPO is applied if your
GPO just says to deny your CustomWebUser group.
One route to avoid this is to cause a machine local group to be
defined on each machine "DenyLocalLogin" and placed into the
machine's user right to deny interactive login. Then, you can
control the membership in this machine local group using the
restricted group capability from your GPO. Similar to the issue
with the user right, if you do not want to have your GPO take
control over the complete and total membership in the machine
local group then you can use technique outlined in this KB
http://support.microsoft.com/kb/810076
"Sam Gaw" <SamGaw@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:52FDD057-DCD7-4A21-AD50-3F3DA71CB191@xxxxxxxxxxxxxxxx
Svyatoslav,
Thanks for getting back to me so quickly; I'd thought about that myself
but
the problem is I can't actually find the policy anywhere. Any ideas?
--
Regards,
Sam Gaw
http://www.samgaw.co.uk
"S. Pidgorny <MVP>" wrote:
Add the group containing to the "Deny log on locally" policy on the
domain
level?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Sam Gaw" <SamGaw@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AFEC2F64-F0D4-42B1-A8AF-E461165911D4@xxxxxxxxxxxxxxxx
I was wondering if anybody knew of a way to disable interactive logon
privilages against specific OU/User Groups rather than against
computers?
Essentially I want to be able to provide domain accounts to users to
access
a web app published on the WAN but prevent them from accessing the
domain
via
any of our computers/interactive logon.
Any help or advice would be much appreciated.
--
Regards,
Sam Gaw
http://www.samgaw.co.uk
- Follow-Ups:
- Re: Disabling Interactive Logon Against Security Group
- From: Roger Abell [MVP]
- Re: Disabling Interactive Logon Against Security Group
- References:
- Re: Disabling Interactive Logon Against Security Group
- From: Roger Abell [MVP]
- Re: Disabling Interactive Logon Against Security Group
- Prev by Date: Re: Wild Tangent
- Next by Date: Re: Disabling Interactive Logon Against Security Group
- Previous by thread: Re: Disabling Interactive Logon Against Security Group
- Next by thread: Re: Disabling Interactive Logon Against Security Group
- Index(es):
Relevant Pages
|
