Announcement

Collapse
No announcement yet.

Best practices for preventing users from logging on locally for a couple machines

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Best practices for preventing users from logging on locally for a couple machines

    I'm setting this up for an OU called "Computers - Limited Access", and I've create a limited access group. I'm concerned about applying this until I understand it a little better, but if I configure a Group Policy for this OU, do I also have to configure "Allow log on locally", do I also have to configure "Deny log on locally"? Right now, the latter is set to "Not Defined".

    I probably should create another post for this, but someone within the organization wants to create a group policy to prevent all users from logging onto a machine with a local account. My initial thought would be to remove all local accounts and rename the Administrative account. Does this seem reasonable?

    Thanks - baskervi

  • #2
    Re: Best practices for preventing users from logging on locally for a couple machines

    For the second problem you can use restricted groups to control membership of local users, power users and administrators -- they replace existing memberships

    For the first, you should be able to get away with "allow log on locally" as long as you check there are no default permissions like "domain users" able to do so
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Best practices for preventing users from logging on locally for a couple machines

      Hi,

      Create a GPO - Deny Logon locally, apply to the OU and use security filtering for example only member of x group gets this policy applied. This would solve the purpose
      Thanks & Regards
      v-2nas

      MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
      Sr. Wintel Eng. (Investment Bank)
      Independent IT Consultant and Architect
      Blog: http://www.exchadtech.blogspot.com

      Show your appreciation for my help by giving reputation points

      Comment

      Working...
      X