Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies

From: Gary Mudgett [MSFT] (garymu_at_online.microsoft.com)
Date: 11/05/03

Next message: Stefan Holland: "Windows 2003 Server vulnerable to DOS attack"

Previous message: Dean: "Strange thing happens when adding Data Recovery Agent (DRA)"
In reply to: David Reed: "Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies"
Next in thread: David Reed: "Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies"
Reply: David Reed: "Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies"
Reply: David Reed: "Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 5 Nov 2003 09:43:25 -0500

In order to prevent users from logging on at the console of the machine they
need to have the Logon Locally user right. This can be set either in the
Local Security policy or through a GPO that applies to those computers.
Logon Locally does not prevent users from accessing network shares on the
machine, just logging on at the console. Users who do not have that
permission would receive "The local policy of this system does not permit
you to logon interactively." message.

Tim Hines had previously post the following response that I don't know if
you saw:
There are 2 policy settings that you can use to do this. You can do this
using the "logon locally" setting or the "deny logon locally". I've
included more information below.

Log on locally
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Description
Determine which users can log on at the computer.

This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and servers.

The default groups that have this right on each platform are:

  a.. Workstations and Servers
    a.. Administrators
    b.. Backup Operators
    c.. Power Users
    d.. Users
    e.. Guest
  b.. Domain Controllers
    a.. Account Operators
    b.. Administrators
    c.. Backup Operators
    d.. Print Operators
Note

To allow a user to log on locally to a domain controller, you have to grant
this right by means of the Default Domain Controller GPO.

Related Policies

Deny logon locally

Deny logon locally
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Description
Determines which users are prevented from logging on at the computer. This
policy setting supercedes the Log on locally policy setting if an account is
subject to both policies.

This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and servers.

By default, there are no accounts denied the ability to logon locally.

-- 
-- 
Gary Mudgett, MCSE, MCSA
 Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
"David Reed" <dreed@no.spam.please.srdcorp.com> wrote in message
news:#wL#pyioDHA.2820@TK2MSFTNGP10.phx.gbl...
> Good Morning,
>
> Forgive me if I misunderstand.  How will that prevent people from logging
on
> (at all?)  Does that option allow people to log on locally?  I want to
> prevent ANYONE besides myself from logging on to specific Win2k Pro
systems,
> either locally or through the domain.
>
> Did I ask the right question?
>
> Regards,
>
> David
>
> "j-man" <anonymous@discussions.microsoft.com> wrote in message
> news:0fd201c3a220$ab400aa0$a601280a@phx.gbl...
> > go to security settings of the GPO and adjust the setting
> > for allow log on locally to the specified users.
> > >
> > >
> > >.
> > >
>
>

Next message: Stefan Holland: "Windows 2003 Server vulnerable to DOS attack"

Previous message: Dean: "Strange thing happens when adding Data Recovery Agent (DRA)"
In reply to: David Reed: "Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies"
Next in thread: David Reed: "Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies"
Reply: David Reed: "Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies"
Reply: David Reed: "Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Delete Audit Trail
... To configure an audit policy setting for a domain controller, ...
(microsoft.public.win2000.security)
Re: Audit Deleting of files
... To configure an audit policy setting for a domain controller, ...
(microsoft.public.win2000.security)
Re: Recover from log on locally domain setting
... reverse the policy setting that has you locked out for domain users. ... Changing the domain policy for logon locally should NOT affect domain ... > The problem is we had not set the Domain Controller ...
(microsoft.public.win2000.security)
Re: How do I log Failed Logon attempts
... You can configure auditing of account logon events using Group Policy. ... Click the Group Policy tab, click Default Domain Controller Policy, ... double-click Audit Policy. ... setting take effect only when the policy setting is propagated or applied to ...
(microsoft.public.win2000.active_directory)
Re: Why allow log on locally" is not configured by default??
... There are two policy under admin tools -> domain controller security ... Domain Controller policy impacts ALL dc's in your network. ... asking it if it is ok that this user log onto this workstation, ... logging onto the dc, the workstation is just getting information provided to ...
(microsoft.public.windows.server.active_directory)