Announcement

Collapse
No announcement yet.

deny log in locally on AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • deny log in locally on AD

    Hello every1

    so Im trying to configure that gpo and I have one problem:

    I found the setting and added the OU's and the groups, but the thing is that these users were created on the DC so why would the computer would know them in the first place? when Ive tried to logon locally its just write that the user/pass is incorrect so why do I need this setting in the first place? how can a user that created on the DC could be local?

    thanks...
    BAZ

  • #2
    Re: deny log in locally on AD

    Hi,
    I'm not sure what you're asking...
    Anyway, there is no such thing as local users on a DC.
    The 'Deny Logon Locally' security policy can be defined for both local and domain users / groups (not OUs).
    This GPO should be linked to an OU that contains the computer accounts you want to restrict.

    For example, If you set the Deny Logon Locally setting to 'YOUR.DOM\Someone' and you link the GPO to an OU named 'Restricted Comps', then all computer accounts which reside under the 'Restricted Comps' OU will be applied with the setting, and 'YOUR.DOM\Someone' will not be able to log on locally on these computers.

    Hope I answered you Q

    Comment


    • #3
      Re: deny log in locally on AD

      what Im actually asking is this:

      A user that in the domain were created in the domain, which mean's that it's password is in the domain, so how could he possibly could do local logon when the computer doesn't know the user...

      is that makes sence?

      TNX

      Comment


      • #4
        Re: deny log in locally on AD

        If you deny a user the right to logon locally to a machine, then they cannot sit down at that machine and logon using their domain account. They can still "log on" to run scheduled tasks etc, or logon via Remote Desktop if that is enabled, or...
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: deny log in locally on AD

          For some reason its just wont work...

          Ive tried to add a computer name to the deny and its still logon locally using the loca admin...how could it be?

          Comment


          • #6
            Re: deny log in locally on AD

            The local admin account isn't affected - you can only prevent domain users from logging on to certain domain machines.

            You also don't add computer names to the policy. You add usernames, and you link the GPO to an OU containing computer accounts. Computers don't logon to users - you are telling the computers which users not to allow to logon.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: deny log in locally on AD

              Originally posted by gforceindustries View Post
              The local admin account isn't affected - you can only prevent domain users from logging on to certain domain machines.
              You can deny local users from loggin onto domain machines. i.e.: you can deny local Power Users group from loggin on locally.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment

              Working...
              X