Re: Disabling Interactive Login

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/25/05 

Date: Wed, 24 Aug 2005 21:35:53 -0500

Open the Group Policy as an administrator and go to computer
configuration/Windows settings/security settings/local policies/user rights
and you can then configure user rights to your needs. --- Steve

"-KK-" <KK@discussions.microsoft.com> wrote in message
news:EA6B8703-0017-4F15-9CC1-8ABFFAE29C3A@microsoft.com...
> Is there a website that discribes how to create this Security Policy
> within a
> Group Policy..? I've created a Group Policy within the OU, but I haven't
> been
> able to find out how to apply the "deny logon locally user right".. Thanks
>
> "Steven L Umbach" wrote:
>
>> Sure. Create the global group you want to deny access to, add the users
>> to
>> the group, and then give this group deny logon locally user right to the
>> computers you do not want them to logon to interactively which can be
>> done
>> via Group Policy at the domain or OU level. --- Steve
>>
>>
>> "-KK-" <KK@discussions.microsoft.com> wrote in message
>> news:A0AD3551-4E6E-4896-A361-8A9B78F3507F@microsoft.com...
>> > Is it possible to create this sort of a policy and apply it only to a
>> > Group
>> > of users rather than to a whole Domain..? My biggest concern is
>> > applying a
>> > policy that will lock all users down, this is only required for users
>> > in a
>> > specific OU
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> You can configure security policy which is a subset of Group Policy to
>> >> modify user rights for logon locally or deny logon locally. For
>> >> instance
>> >> you could create a global group and add it to the deny logon locally
>> >> user
>> >> right via Group Policy to all computers in a domain or Organizational
>> >> Unit.
>> >> Be careful with deny user rights as they override the companion allow
>> >> user
>> >> right and keep in mind that administrators are members of users,
>> >> authenticated users, and everyone groups. --- Steve
>> >>
>> >>
>> >> "-KK-" <KK@discussions.microsoft.com> wrote in message
>> >> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
>> >> > We've been working on an in-house application that works through an
>> >> > portal.
>> >> > Users who log-in through this portal use LDAP to authenticate
>> >> > through
>> >> > Active
>> >> > Directory.
>> >> >
>> >> > Is is possible to make these logins disabled from being able to
>> >> > Interactively Login to a desktop machine on the domain..?
>> >> >
>> >> > If so which method would be the best way..? Using Group Policies or
>> >> > is
>> >> > there
>> >> > a better option within Active Directory.
>> >> >
>> >> > Thanks,
>> >>
>> >>
>> >>
>>
>>
>>