Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies

From: Gary Mudgett [MSFT] (garymu_at_online.microsoft.com)
Date: 11/05/03

  • Next message: Stefan Holland: "Windows 2003 Server vulnerable to DOS attack"
    Date: Wed, 5 Nov 2003 09:43:25 -0500
    
    

    In order to prevent users from logging on at the console of the machine they
    need to have the Logon Locally user right. This can be set either in the
    Local Security policy or through a GPO that applies to those computers.
    Logon Locally does not prevent users from accessing network shares on the
    machine, just logging on at the console. Users who do not have that
    permission would receive "The local policy of this system does not permit
    you to logon interactively." message.

    Tim Hines had previously post the following response that I don't know if
    you saw:
    There are 2 policy settings that you can use to do this. You can do this
    using the "logon locally" setting or the "deny logon locally". I've
    included more information below.

    Log on locally
    Computer Configuration\Windows Settings\Security Settings\Local
    Policies\User Rights Assignment

    Description
    Determine which users can log on at the computer.

    This user right is defined in the Default Domain Controller Group Policy
    object (GPO) and in the local security policy of workstations and servers.

    The default groups that have this right on each platform are:

      a.. Workstations and Servers
        a.. Administrators
        b.. Backup Operators
        c.. Power Users
        d.. Users
        e.. Guest
      b.. Domain Controllers
        a.. Account Operators
        b.. Administrators
        c.. Backup Operators
        d.. Print Operators
     Note

    To allow a user to log on locally to a domain controller, you have to grant
    this right by means of the Default Domain Controller GPO.

    Related Policies

    Deny logon locally

    Deny logon locally
    Computer Configuration\Windows Settings\Security Settings\Local
    Policies\User Rights Assignment

    Description
    Determines which users are prevented from logging on at the computer. This
    policy setting supercedes the Log on locally policy setting if an account is
    subject to both policies.

    This user right is defined in the Default Domain Controller Group Policy
    object (GPO) and in the local security policy of workstations and servers.

    By default, there are no accounts denied the ability to logon locally.

    -- 
    -- 
    Gary Mudgett, MCSE, MCSA
     Windows 2000 Directory Services
    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    "David Reed" <dreed@no.spam.please.srdcorp.com> wrote in message
    news:#wL#pyioDHA.2820@TK2MSFTNGP10.phx.gbl...
    > Good Morning,
    >
    > Forgive me if I misunderstand.  How will that prevent people from logging
    on
    > (at all?)  Does that option allow people to log on locally?  I want to
    > prevent ANYONE besides myself from logging on to specific Win2k Pro
    systems,
    > either locally or through the domain.
    >
    > Did I ask the right question?
    >
    > Regards,
    >
    > David
    >
    > "j-man" <anonymous@discussions.microsoft.com> wrote in message
    > news:0fd201c3a220$ab400aa0$a601280a@phx.gbl...
    > > go to security settings of the GPO and adjust the setting
    > > for allow log on locally to the specified users.
    > > >
    > > >
    > > >.
    > > >
    >
    >
    

  • Next message: Stefan Holland: "Windows 2003 Server vulnerable to DOS attack"

    Relevant Pages

    • Re: Delete Audit Trail
      ... To configure an audit policy setting for a domain controller, ...
      (microsoft.public.win2000.security)
    • Re: Audit Deleting of files
      ... To configure an audit policy setting for a domain controller, ...
      (microsoft.public.win2000.security)
    • Re: Recover from log on locally domain setting
      ... reverse the policy setting that has you locked out for domain users. ... Changing the domain policy for logon locally should NOT affect domain ... > The problem is we had not set the Domain Controller ...
      (microsoft.public.win2000.security)
    • Re: How do I log Failed Logon attempts
      ... You can configure auditing of account logon events using Group Policy. ... Click the Group Policy tab, click Default Domain Controller Policy, ... double-click Audit Policy. ... setting take effect only when the policy setting is propagated or applied to ...
      (microsoft.public.win2000.active_directory)
    • Re: Why allow log on locally" is not configured by default??
      ... There are two policy under admin tools -> domain controller security ... Domain Controller policy impacts ALL dc's in your network. ... asking it if it is ok that this user log onto this workstation, ... logging onto the dc, the workstation is just getting information provided to ...
      (microsoft.public.windows.server.active_directory)