Re: Disabling Interactive Login

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/24/05 

Date: Tue, 23 Aug 2005 19:53:00 -0500

Sure. Create the global group you want to deny access to, add the users to
the group, and then give this group deny logon locally user right to the
computers you do not want them to logon to interactively which can be done
via Group Policy at the domain or OU level. --- Steve

"-KK-" <KK@discussions.microsoft.com> wrote in message
news:A0AD3551-4E6E-4896-A361-8A9B78F3507F@microsoft.com...
> Is it possible to create this sort of a policy and apply it only to a
> Group
> of users rather than to a whole Domain..? My biggest concern is applying a
> policy that will lock all users down, this is only required for users in a
> specific OU
>
> "Steven L Umbach" wrote:
>
>> You can configure security policy which is a subset of Group Policy to
>> modify user rights for logon locally or deny logon locally. For instance
>> you could create a global group and add it to the deny logon locally user
>> right via Group Policy to all computers in a domain or Organizational
>> Unit.
>> Be careful with deny user rights as they override the companion allow
>> user
>> right and keep in mind that administrators are members of users,
>> authenticated users, and everyone groups. --- Steve
>>
>>
>> "-KK-" <KK@discussions.microsoft.com> wrote in message
>> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
>> > We've been working on an in-house application that works through an
>> > portal.
>> > Users who log-in through this portal use LDAP to authenticate through
>> > Active
>> > Directory.
>> >
>> > Is is possible to make these logins disabled from being able to
>> > Interactively Login to a desktop machine on the domain..?
>> >
>> > If so which method would be the best way..? Using Group Policies or is
>> > there
>> > a better option within Active Directory.
>> >
>> > Thanks,
>>
>>
>>

Relevant Pages

  • Re: How to include a "Power Users" group to be include in a GPO
    ... However if this Group Policy is going to be ... create a domain global group and add users that ... >> How can I to create a group that evolves the local Power Users groups from ... >> Juan Villegas Azuaje ...
    (microsoft.public.windows.server.security)
  • Re: adding a global group to the local administrators through a group policy
    ... Assign the follow script as an Logon Script within a Group Policy, ... Members in your Global Group "Your Global Group" will be added ... to the local administrators group during logon. ...
    (microsoft.public.win2000.group_policy)
  • Re: Group Policy for Terminal Server not working
    ... Windows 2000 TS server (for simplicity we'll call him TS-Server) ... Created a Global group TS-Users which consists of users from ... Created and linked a Group Policy object in TSOU ...
    (microsoft.public.win2000.group_policy)
  • Re: Restrict user to only certain machines.
    ... You can use the user rights for logon locally or deny logon locally to so ... Add the users to a global group and create an OU where you place their ... their OU create a Group Policy Object and configure the deny logon locally ... allow them to only logon to computers in their OU. ...
    (microsoft.public.win2000.group_policy)
  • Re: Local Group added to local Administrators group
    ... Create a global group and add that to the local administrators group on the ... computers that you want this to happen to. ... > added with Group Policy to the local Administrators group. ...
    (microsoft.public.windowsxp.security_admin)