locked
Deny logon locally GPO doesn't work RRS feed

  • Question

  • Hi, I'm trying to prevent specific accounts from having the ability to logon to any PCs in the domain.  What I did in general are:

    1) Create an OU named "Users - No Logon" and place the users I don't want to allow logon interactively in this OU.

    2) Create a Security Group named "Users - No Logon" and place the users I don't want to allow logon interactively into this Group.

    3) Create a GPO named "GPO - Users - No Logon" under the OU "Users - No Logon" and add the Security Group "Users - No Logon" to Windows Settings\Security Settings\Local Policies\User Rights Assignments\Deny logon locally.

    Basically the steps matches what are suggested in the following article.  However, the accounts added to the Security Group "Users - No Logon" even after multiple log on / log off and reboots.

    http://windowsitpro.com/security/service-accounts-can-be-secure-yet-have-non-expiring-passwords

    Any ideas what I have done wrong?

    Thursday, September 10, 2015 4:14 PM