none
To block authentication

    Question

  • Hello 

    We have two Forest ABC and XYZ, 2 way forest trust is created between them, I am successfully able to login to XYZ domain using computer connected to ABC domain with XYZ domain user name and password and vice versa. Now the question

    I want to know the GP to block this , ie using computer connected to ABC domain i should not be allowed to login to XYZ domain and Vice versa. I got a hint that GP has to configured on both forest. Please assist

    Aamir


    NA

    Wednesday, February 24, 2016 10:07 PM

Answers

  • You can also work around this by creating a new domain wide GPO in the target domain, enable "Deny logon locally" user right to the source domain user account/s:
     
    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally
     
    Also check this KB article for more methods to restrict use of a computer to one domain user only:
      
    https://support.microsoft.com/en-us/kb/555317
      
    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, February 25, 2016 6:22 AM
    Moderator

All replies

  • Hello 

    I want to know the GP to block this , ie using computer connected to ABC domain i should not be allowed to login to XYZ domain and Vice versa. I got a hint that GP has to configured on both forest. Please assist

    This is the way trusts works. Either you have to change trust to one way or use selective authentication. 


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Thursday, February 25, 2016 5:00 AM
  • You can also work around this by creating a new domain wide GPO in the target domain, enable "Deny logon locally" user right to the source domain user account/s:
     
    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally
     
    Also check this KB article for more methods to restrict use of a computer to one domain user only:
      
    https://support.microsoft.com/en-us/kb/555317
      
    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, February 25, 2016 6:22 AM
    Moderator
  • Hello Ethan

    Thank you so much, 

    Now i have one more query, just say i create the above policy in XYZ domain for ABC domain users, so ABC users will not be able to login to XYZ.

    What if ABC users login computer connected XYZ domain, will be still not able to login to XYZ domain


    NA


    Thursday, February 25, 2016 10:35 AM
  • This security policy setting only determines which users are prevented from logging on at specific computers. So if you "create the above policy in XYZ domain for ABC domain users", ABC users will not be able to log on at specific computers connected XYZ domain.

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, February 26, 2016 1:52 AM
    Moderator

  • Now i have created domain GP in XYZ domain and in security filtering added ABC computer and in Deny local login added xyz domain user.

    But i am able to login with abc domain comupter wiht xyz domain users credentials, which should not happen, please advise


    NA

    Tuesday, March 1, 2016 4:49 PM