none
Denying Log On Locally / Through Remote Desktop...

    Question

  • In my environment I have my forest root domain (company.local) and a child sub domain (retail.company.local).  The Company.local domain is used for our corporate headquarters and distribution warehouse.  The retail.company.local is used for our 300 retail locations across the state.

    Due to the nature of our network, I currently have it configured to not allow any of the child domain users rights to logon to any of the parent domain computers.  I do this in my Default Domain Policy.  

    We are now going to be adding the equivalent of branch office connectivity in our district offices located around the state.  My goal is to have these branch offices authenticate to the parent domain.  Currently, I have all of my branch office users and my branch office computers set up in their own OU.  My goal is to make it so that the branch office users can logon to the branch office computers, but they cannot logon to the other computers in the parent domain.  I have setup a shadow group to mirror the users in the branch office OU (SHADOW_Branch Users).

    So I modified my Default Domain Policy, to Deny Logon Locally to COMPANY\SHADOW_Branch Users.  I then created a new GPO, called Branch Office Workstation Standards - in which I set Allow Logon Locally to Domain Admins, Administrators, Help Desk, Shadow_Branch Users.  This is the only setting that I set.

    I tried to logon and I do not have permissions.  After doing a GP Results Wizard, I see that it has both allow logon locally and deny logon locally for the SHADOW_Branch Users group.  

    How would you get around this?  Ideally, I would love to be able to use the inheritance.  I am open to suggestions.

    Thanks

    sb

    Monday, June 22, 2015 8:53 PM

Answers

  • > So I modified my Default Domain Policy, to Deny Logon Locally to
    > COMPANY\SHADOW_Branch Users.  I then created a new GPO, called Branch
    > Office Workstation Standards - in which I set Allow Logon Locally to
    > Domain Admins, Administrators, Help Desk, Shadow_Branch Users.  This is
    > the only setting that I set.
     
    Add "Deny logon locally" to your Branch Office Workstation Standards and
    do NOT add the Shadow_branch Users group here. Privileges are not
    cumulative, last writer wins.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by stephenmbell Wednesday, June 24, 2015 3:23 PM
    Tuesday, June 23, 2015 7:29 AM

All replies

  • > So I modified my Default Domain Policy, to Deny Logon Locally to
    > COMPANY\SHADOW_Branch Users.  I then created a new GPO, called Branch
    > Office Workstation Standards - in which I set Allow Logon Locally to
    > Domain Admins, Administrators, Help Desk, Shadow_Branch Users.  This is
    > the only setting that I set.
     
    Add "Deny logon locally" to your Branch Office Workstation Standards and
    do NOT add the Shadow_branch Users group here. Privileges are not
    cumulative, last writer wins.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by stephenmbell Wednesday, June 24, 2015 3:23 PM
    Tuesday, June 23, 2015 7:29 AM
  • This did the trick.  Thank you
    Wednesday, June 24, 2015 3:24 PM