Re: Disabling Interactive Login

From: -KK- (KK_at_discussions.microsoft.com)
Date: 08/25/05 

Date: Wed, 24 Aug 2005 17:25:04 -0700

Is there a website that discribes how to create this Security Policy within a
Group Policy..? I've created a Group Policy within the OU, but I haven't been
able to find out how to apply the "deny logon locally user right".. Thanks

"Steven L Umbach" wrote:

> Sure. Create the global group you want to deny access to, add the users to
> the group, and then give this group deny logon locally user right to the
> computers you do not want them to logon to interactively which can be done
> via Group Policy at the domain or OU level. --- Steve
>
>
> "-KK-" <KK@discussions.microsoft.com> wrote in message
> news:A0AD3551-4E6E-4896-A361-8A9B78F3507F@microsoft.com...
> > Is it possible to create this sort of a policy and apply it only to a
> > Group
> > of users rather than to a whole Domain..? My biggest concern is applying a
> > policy that will lock all users down, this is only required for users in a
> > specific OU
> >
> > "Steven L Umbach" wrote:
> >
> >> You can configure security policy which is a subset of Group Policy to
> >> modify user rights for logon locally or deny logon locally. For instance
> >> you could create a global group and add it to the deny logon locally user
> >> right via Group Policy to all computers in a domain or Organizational
> >> Unit.
> >> Be careful with deny user rights as they override the companion allow
> >> user
> >> right and keep in mind that administrators are members of users,
> >> authenticated users, and everyone groups. --- Steve
> >>
> >>
> >> "-KK-" <KK@discussions.microsoft.com> wrote in message
> >> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
> >> > We've been working on an in-house application that works through an
> >> > portal.
> >> > Users who log-in through this portal use LDAP to authenticate through
> >> > Active
> >> > Directory.
> >> >
> >> > Is is possible to make these logins disabled from being able to
> >> > Interactively Login to a desktop machine on the domain..?
> >> >
> >> > If so which method would be the best way..? Using Group Policies or is
> >> > there
> >> > a better option within Active Directory.
> >> >
> >> > Thanks,
> >>
> >>
> >>
>
>
>

Relevant Pages

  • Re: Question about Log on Locally Policy.
    ... Interesting as by default administrators group has logon locally user right. ... The easiest thing to try would be to use ntrights to add the administrators ... > the policy of the machine does not permit interactive logon. ...
    (microsoft.public.win2000.security)
  • Re: IPSEC Policy to secure TS
    ... >"How to Create and Enable IPSec Policy to Secure ... >After the IP Security Policy Wizard starts, ... >2) the client policy is rather broad and might need ...
    (microsoft.public.win2000.security)
  • Re: IPSEC Policy to secure TS
    ... "How to Create and Enable IPSec Policy to Secure Terminal Services ... After the IP Security Policy Wizard starts, ... Click to expand Security Settings in the left pane, right-click the Client ...
    (microsoft.public.win2000.security)
  • Re: Limit number of login attemps on Windows server 2003 - where to set this up?
    ... An example change which you would make using the DC Security Policy and not ... and the Domain Controller Security Policy only applies to Domain ... > server exists to serve the clients, so what would you change on the DC, ...
    (microsoft.public.windows.server.general)
  • Re: [fw-wiz] Security and Audit Policy
    ... Enabling firewall rules without a solid security policy and management ... nameserver (I don't like clients resolving directly in any circumstance.) ...
    (Firewall-Wizards)