"Allow log on locally' not denying access in Active Directory

[ugolee]

I'm trying to lock down a group of XP Workstations to a particular group of users. So, I have my group of users in a group AD\workstation-users. I also have an OU set up for the computers which are going to be locked down.

I've setup a GPO on that OU, and set GPO > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights > Allow log on locally to:
Administrators
AD\workstation-users

But, when I try to log onto these workstations with a user account that is NOT in the workstation-users group, I can still log into the machine. I've restarted the computer a few times so that it will pick up the new policy and waited long enough for replication to occur.

Any ideas why this isn't working?

 

[mrdenny]

Run gpresult from the workstation to see what GPOs are being applied. Use RSOP to make sure that the workstation is getting the policy correctly.

Also check the local security policy on the workstation and see what it says the settings are.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

My Blog