Announcement

Collapse
No announcement yet.

GPO - Deny Logon Locally to everyone in OU

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO - Deny Logon Locally to everyone in OU

    Hi,

    How can you setup a GPO to deny logon locally for all users in a specific OU?

    Is this possible to do without having to setup a security group?

    I currently have 2 OU's

    Managed Computers
    Site1
    Site2
    Site3

    Managed Users
    Site1
    Site2
    Site3


    If a user belongs to Managed Users\Site3, then he should be denied logon to any computer no matter in which OU the computer reside.

    The reason for this is that I have alot of excahnge mailboxes where I would like the users to access their email via web, but deny them access to the network on any PC.

    Any other ideas would also be welcome.

    Thanks

  • #2
    Re: GPO - Deny Logon Locally to everyone in OU

    The deny logon locally is a computer configuratoin and so must be applied to computers and not users.

    To accomplish the task you'll need to:
    1. Create a Security Group and add the appropriate users to the group
    2. Place all the computers into an OU that you want to restrict the users from logging on. (if it is all the computers you can just link the GPO to the domain; same thing with a Site)
    3. In a GPO, configure the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally and add the group that you created.
    4. Link the GPO to the OU, Domain, or Site


    HTH
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: GPO - Deny Logon Locally to everyone in OU

      Thanks. Wil try that. Is there any way to have all users in that OU automatically belong to this security group?

      Comment


      • #4
        Re: GPO - Deny Logon Locally to everyone in OU

        Unfortunately no, or at least not that I know of.

        But I know that it could be done with a script.... but that is definitely a weak point of mine. But there are some great scripter here plus I'm sure could find something for you...
        Some of these look promising http://www.google.com/search?hl=en&l...+OU+to+a+group
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment

        Working...
        X