none
Deny Log on Locally user right on member server

    Question

  • Hi GP experts,

    I have a new requirements to be implemented in my environment. One of them is - To Deny log on locally user right on member servers as well as workstations to prevent access from highly privileged domain accounts( Enterprise Admin Group and Domain Admin Groups)on domain systems and from unauthenticated access on all systems. Currently, I use my secondary admin account to perform any admin functions.

    My question is after configuring the above via GPO, how would I carry out the admin functions on member severs like Exchange/SharePoint and workstations.

     Any thoughts?

    Thanks

    Thursday, August 25, 2016 6:29 PM

Answers

  • Hi,

    What is the OS of your computer?

    You could try to create a server group on Windows Server 2012&2012 R2 to manage all server in the server group.

    For more information about create a server group, please refer to the article below.

    Create and Manage Server Groups

    https://technet.microsoft.com/en-us/library/hh868009(v=ws.11).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 30, 2016 2:02 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    You could allow admin account to logon remotely. Then you could manage those servers remotely.

    You could configure admin account with Allow logon through Remote Desktop Services.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 26, 2016 1:40 AM
    Moderator
  • Jay,

    Remote Desktop Services / Terminal Services disabled.

    Friday, August 26, 2016 12:27 PM
  • Hi,

    You could use mmcs and powershell to manage them remotely. But I’m confused about your request. Why putting people in domain admin and enterprise admin group then deny them access to domain resources. I’ll not put lot of members on these sensitive groups at the first place!

    FrenchITGuy.com

    Friday, August 26, 2016 12:38 PM
  • FrenchITGuy,

    These are the requirements to lock down the environment.

    Allow log on locally -> Administrators

    Deny log on locally -> Enterprise Admins Group, Domain Admins Group and Guests Group

    How do you implement?

    Friday, August 26, 2016 3:00 PM
  • You can put them in the GPO.  BUT the Deny will take precedence so if you have an administrator that is a member of one of those groups, they will not get in.  You have the possibility of locking everyone out of the server locally and will have to fall back to local accounts.

    Deny logon locally

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Allow log on locally

    GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Friday, August 26, 2016 6:24 PM
  • You can put them in the GPO.  BUT the Deny will take precedence so if you have an administrator that is a member of one of those groups, they will not get in.  You have the possibility of locking everyone out of the server locally and will have to fall back to local accounts.

    Deny logon locally

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Allow log on locally

    GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    My question is how do you manage the servers/workstation after implementing the above. 

    Monday, August 29, 2016 12:53 PM
  • The above two will affect Local Logons, so anyone in the Deny setting will not be able to logon locally.  If that user must administer the server, then they can do it remotely.  

    Back to the point made by FrenchIT, why are you trying to deny Enterprise Admins and Domain Admins?  They should be trusted admins and defeats the point to lock them out, plus 'evil' Domain Admins can just change the policy that you put in. 

    Monday, August 29, 2016 1:00 PM
  • The above two will affect Local Logons, so anyone in the Deny setting will not be able to logon locally.  If that user must administer the server, then they can do it remotely.  

    Back to the point made by FrenchIT, why are you trying to deny Enterprise Admins and Domain Admins?  They should be trusted admins and defeats the point to lock them out, plus 'evil' Domain Admins can just change the policy that you put in. 


    FYI Remote /Terminal services are disabled.  Denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain.
    • Edited by tamangketa Monday, August 29, 2016 7:29 PM
    Monday, August 29, 2016 3:36 PM
  • Hi,

    What is the OS of your computer?

    You could try to create a server group on Windows Server 2012&2012 R2 to manage all server in the server group.

    For more information about create a server group, please refer to the article below.

    Create and Manage Server Groups

    https://technet.microsoft.com/en-us/library/hh868009(v=ws.11).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 30, 2016 2:02 AM
    Moderator