Re: Deny Logon Locally

From: Ben Smith [MS] (bensmi@microsoft.com)
Date: 08/03/02 

From: Ben Smith [MS] <bensmi@microsoft.com>
Date: Sat, 3 Aug 2002 10:55:31 -0700

In article <aibcvi$12tirk$1@ID-56130.news.dfncis.de>, Justus
(justus@dotcool.com) writes...
> I will be following the other 2 suggestions on removing local users but
> would also like to add all together deny local users logon. Would I set that
> in the Local Security Policy for each computer under User Rights Deny logon
> locally or on a DC under Domain Policy user rights?
> -Justus
> "Jim Campau (A+ MCSE)" <Jim_Campau@bausch.com> wrote in message
> news:#mqJawNOCHA.2576@tkmsftngp08...
> > You can set the local logon rights to any one or group you want. This does
> > not effect network log on rights.
> >
> > "Justus" <justus@dotcool.com> wrote in message
> > news:ai9k8b$12aakk$1@ID-56130.news.dfncis.de...
> > > If I am using AD and want me users to have to logon to a the domain and
> > not
> > > logon to there computer locally is there something I can implement in a
> > > domain policy or group policy? I was reading about deny log on locally
> but
> > > was not sure if that prevented from logging on to the machine all
> > together.
> > > I don't want any of my users using any local users for the computers
> only
> > > logging on through the domain. What is the best way to implement this?
> > Some
> > > of the user already have administrator accounts locally so they know how
> > to
> > > create new local accounts. Any help or suggestions would be appreciated.
> > > -Thanks
> > > Justus

Revoking the right to logon locally will prohibit on any interactive
logon, regardless of where the user's credentials are validated. 

-- 
Ben Smith
Microsoft Training and Certification
Are you secure? http://www.microsoft.com/security
This posting is provided “AS IS” with no warranties, and confers no 
rights.

Relevant Pages

  • Re: Deny Logon Locally
    ... would also like to add all together deny local users logon. ... locally or on a DC under Domain Policy user rights? ...
    (microsoft.public.win2000.security)
  • Re: system cannot log you on now because the domain PCname123 is not available
    ... Are you logging on as the local Administrator - are you sure you're not ... using a domain account to try to login locally. ... Log onto the Domain and check the local Users & Groups - check the local ... And all I want to do it's logon to local box NOT the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Deny Logon Locally
    ... Do you have another suggestion I could do use with Group Policy? ... >> would also like to add all together deny local users logon. ... >> in the Local Security Policy for each computer under User Rights Deny ...
    (microsoft.public.win2000.security)
  • error that my profile cant be loaded at logon
    ... File>Add/REmoveSnapIn> (you choose Local Users and Groups> ... then you douuble click your user name in your right panel ... (probably your account is set to load a profile from some ... >I get an error that my profile can't be loaded at logon. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Does LsaLogonUser support local users?
    ... functional level) and therefore this type logon is not supported for users ... Other types of kerberos logon also require AD ... > LsalogonUser and get a token back? ... but local users don't have UPN available. ...
    (microsoft.public.platformsdk.security)