remove the "domain users group" form "local users group" problem

Home Forums Microsoft Networking and Management Services Active Directory remove the "domain users group" form "local users group" problem

This topic contains 7 replies, has 4 voices, and was last updated by Avatar John2008 11 years, 9 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • Avatar
    noway
    Member
    #133038

    Hi,
    I am an administrator on my domain and I don’t want any employees to login to my PC, so I did is following:

    1- I added my domain user account in the local administrator group.
    2- I remove domain admin group from local administrator group.
    3- I remove domain users group from local users group.
    However, when I tried to login with my domain account it accept me but I cannot see the desktop, I tried many time logging in and restart the PC but no luck, when I put back the domain users group into local users group it solve the problem,

    My question:
    1- Why this issue happen when I remove the domain users from local users group
    2- How to solve this problem in a professional way putting in mind that I need the solution to affect only me.

    Avatar
    joeqwerty
    Moderator
    #300583

    Re: remove the "domain users group" form "local users group" problem

    Here’s one suggestion:

    Leave the domain users group as a member of the local users group. Leave your domain account as the only member of the local administrators group. Open up the local security policy, user rights assignment and set the “Allow log on locally” right to only your domain user account.

    Avatar
    noway
    Member
    #236506

    Re: remove the "domain users group" form "local users group" problem

    but if I do what you suggest in 60m when group policy refresh time accrue then it will be back to the default setting.

    Avatar
    John2008
    Member
    #330913

    Re: remove the "domain users group" form "local users group" problem

    When you click on “Allow log on locally”, and add your desired user to the list, and apply okey, it should be saved. If it keeps changing, then you got somthing wrong.

    Avatar
    joeqwerty
    Moderator
    #300589

    Re: remove the "domain users group" form "local users group" problem

    Local security policy will only be overridden if you have a GPO that changes the setting. The Default Domain GPO does not have this setting configured, so if it is being “reset” then you have a GPO that applies to this computer that is setting it. If so, set the GPO to not configured for this particular user right.

    Avatar
    noway
    Member
    #236507

    Re: remove the "domain users group" form "local users group" problem

    this mean i have to move my computer to different OU and overridden the GPO

    Avatar
    AndyJG247
    Member
    #320433

    Re: remove the "domain users group" form "local users group" problem

    You can deny apply for your account for that GPO. That would take precedence over the allow.

    Avatar
    joeqwerty
    Moderator
    #300594

    Re: remove the "domain users group" form "local users group" problem

    Yes, you would move your computer to a new OU. What’s wrong with that? It will still get all the other GPO settings (as long as you don’t enable Block Inheritance) and set the option you want from the OU specific GPO.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.