deny login to a domain based on group membership RRS feed

  • Question

  • Howdy,

    Is it possible, thru a script, to deny a user access to the domain based on group membership?



    Tuesday, May 31, 2016 8:15 PM


All replies

  • Why? Just disable the account.

    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by jrv Tuesday, May 31, 2016 8:37 PM
    • Marked as answer by Bill_StewartModerator Tuesday, July 5, 2016 3:17 PM
    Tuesday, May 31, 2016 8:27 PM
  • Hi,

    define 'access to the domain'.

    Evgenij Smirnov

    msg services ag, Berlin ->
    my personal blog (mostly German) ->
    Windows Server User Group, Berlin ->
    Mark Minasi Technical Forum, reloaded ->

    In theory, there is no difference between theory and practice. In practice, there is.

    Tuesday, May 31, 2016 8:28 PM
  • If you want to retain mail and other elements bu deny logon you can add the user to the "deny logon" setting in Group Policy.  Use disable account for al other reasons.


    Tuesday, May 31, 2016 8:38 PM
  • Some of the extended attributes are linked to email and smartcard usage, disabling the account breaks the link to email, I just need to deny logon to members of a group named, oh shall we say, I-know-I-was-supposed-to-take-the-required-training-6-months-ago-but-i-didnt, or something like that. Rather than manually editing several attributes for each user, before disabling them, I'd like to block logon at a group level

    Thanks Again!!

    Tuesday, May 31, 2016 8:40 PM
  • let them know they are not allowed to logon, and in this case, let them know that it is because they did not take the required training

    Thanks Again!!

    Tuesday, May 31, 2016 8:42 PM
  • You can just use "Logon to"  setting to specify no machines or set logon hours to "none".   The account will be active but the user cannot log in. You could also just lock the account.


    Tuesday, May 31, 2016 8:51 PM

  • \_(ツ)_/

    Tuesday, May 31, 2016 8:53 PM
  • Or, for the logon workstations in the last screen shot, assign a computer that these users do not have access to, or even one that does not exist. They will only be able to authenticate on this machine.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, May 31, 2016 9:27 PM
  • If the account is disabled, they can't log on at all. Put a comment in the description that they have been disabled because they didn't take the training. When they call the help desk, tell the user they have to take the training.

    -- Bill Stewart [Bill_Stewart]

    Tuesday, May 31, 2016 9:42 PM