Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Prevent certain users from logging onto computers and servers

Status
Not open for further replies.
blondebier

blondebier

Programmer
Jun 19, 2003
142
GB
Hi Guys,

We have recently created a new domain using Windows Server 2008.

As part of this setup our infrastructure requires some application accounts to be configured in AD for running windows services, web services and other programs we have created.

We don't want these accounts to be able to log on to the domain.

I thought the "Deny log on locally" policy in group policy management would prevent this.

I implemented this by grouping all the application accounts in their own OU (Organisational unit) in AD.

I then created a GPO in this OU and set "Deny log on locally" to this group.

I thought that would work, but it hasn't done the job.

Does the "Deny log on locally" policy only apply to computers and not users?

Any ideas?

Cheers,
Blondebier
 
Sort by date Sort by votes
You are almost there.

You want to deny those accounts:
Log On Locally
Log On Through Terminal Services

You then want to grant them:
Log on as a service

And you may need to grant them:
Act as Part of the Operating System

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
Thanks Mark - I have done these but they are still able to log on to any computer.

How long would these changes take to have an effect?

I ran gpupdate /force and it still doesn't seem to make a difference.

It's probably something trivial...
 
Upvote 0 Downvote
Are you configuring that in a local or domain GPO? Should only take 15 minutes to take effect and the GPUPDATE /FORCE should make it immediate.

Make sure you have pushed that setting out via a domain policy and not a local one.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
I configured it in the GPO on the DC and ran GPUPDATE /FORCE afterwards.

I also tried to run the GPUPDATE /FORCE command on a work station as well.

Still doesn't work...
 
Upvote 0 Downvote
At what level in the tree did you place the GPO?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
Level 2 (I think).

The default domain policy resides in the root. I have this GPO created in the OU for thsi group underneath this one...

Is that correct?
 
Upvote 0 Downvote
You can move your GPO to the top level (root) and it will then apply to all computer and users in the domain.



I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
Hi Mark,

I think I misunderstood the precedence of the GPOs within an OU...

I have a "Default Domain Policy" that was configured by Server 2008 as standard. This remained largely unchanged.

I then proceeded to configure various GPOs within my OUs, as I wanted special things to happen for different users in these OUs. I thought that as these were at level 2 that they would supercede policies that were at level 1. i.e. Supercede the Default Domain Policy.

But when I checked the order of the GPOs in the "Group Policy Inheritance" tab it seems that the GPO I added in the OU comes first, before the Default Domain Policy, therefore the Default would supercede the custom GPO in that OU.

Is that correct?

Applying this logic, I deleted the custom GPO in that OU that I created and just changed the "Default Domain Policy" for "Deny log on locally" and added the application accounts group to that.

The logic does seem a little weird as to why the precedence would be this way by default.

Is there a way of changing it so that custom GPOs in OUs override the default domain policy?

I think that would be a more "tidy" solution in my head...

Cheers,

Blondebier
 
Upvote 0 Downvote
You really should not touch the default domain policy except to configure password policies.

Lower level GPOs will apply after and should override unless you are blocking inheritance as blondebier suggests.



I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
LSDOU is the acronym to remember in what order they are applied. Local policies go first, then Site Policies (configured in AD sites and services), then Domain policies, then finally the OU policies. Policies from child OUs are applied after parent OUs.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCSE:Security 2003
MCITP:Enterprise Administrator
 
Upvote 0 Downvote
Thanks for the replies guys.

What you are saying does make sense, but I don't seem to be able to get these settings to apply in my custom GPOs.

If I set them in my "Default Domain Policy" it works.

It doesn't seem to follow that "Policies from child OUs are applied after parent OUs."

I'm pulling my hair out...
 
Upvote 0 Downvote
There is another solution to this problem.

Open up the user accounts you wish to restrict in "Active Directory Users and Computer".

Click on the "Account" tab and click on the "Log on To" button.

From there put the servers you wish those accounts to logon to, and thats it. They will only be allowed to logon to those computers.
 
Upvote 0 Downvote
That would work in certain scenarios, but wouldn't work for us here as we want to deny access to all computers for these users.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
669
gbaughma
gbaughma
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
568
goombawaho
goombawaho
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
155
StevenFromSouth
StevenFromSouth
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
109
geneg28
geneg28
maybeimaleo
  • Locked
  • Question
Can SMTP Be Migrated From 2008 R2 to 2019?
Replies
1
Views
167
maybeimaleo
maybeimaleo

Part and Inventory Search

Sponsor

Back
Top