locked
Create a GPO for "Allow log on locally" permission RRS feed

  • Question

  • I am reading this article which shows me how to grant certain users "Allow log on locally" permissions 

    http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx

    this worked for me... but I think the problem is that the user who is granted the permission to "Allow log on locally" gets this permission on all machines in the domain.

    How can I create the same GPO... but the permission of Allow log on locally is granted to the user... only on a few specific machines in the domain?


    val it: unit=()

    Saturday, May 3, 2014 5:52 AM

Answers

  • Can you show me how to do this. I am on this screen and I can right click and say edit and then go into omputer ConfigurationPoliciesWindows SettingsSecurity Settings, and Local Policies, and then click User Rights Assignment.

    but it is not targeting any specific server. Can you give me the steps to target specific server in this screen below?

    Hi,

    from your example, we can see that you are editing the GPO named: Default Domain Controllers Policy (DDCP).

    This is a GPO that you shouldn't adjust, without careful planning, design and understanding, because it only applies to your Domain Controllers (DCs), and, it applies to *ALL* DCs, *AND* configuration changes to DCs affect your whole forest/domain.

    So, unless you are intending to make this change globally, don't do this change, to this GPO.

    We can also see that your domain, does not have any new Organisational Units (OUs) created.
    Usually, create an OU for users, and another OU for computers. (Actually, usually, several such OUs are created, based on your plan/design).
    Then, create the desired GPO, add desired settings to that GPO, then, link that GPO to the desired OU (where you want the settings to apply).

    http://technet.microsoft.com/en-US/library/cc754948.aspx

    The dedicated GP forum, is here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverGP

    By default, when a computer is joined to a domain (so it becomes known as a domain member), the builtin security principal of "Domain Users" (which represents all user accounts in the domain) is added to the "Users" group of the domain member machine. This allows any/all/every domain user account to logon locally to the member machine. If you change/deny/revoke this permission, ensure that you scope the settings/policy correctly! (if not, you will be dis-allowing all logons to that machine, and it is annoying and frustrating to perform recovery) (which is fine if you are learning in a test environment, but can be disastrous in a production environment :)

    Here is a beginners guide/example: http://technet.microsoft.com/en-us/library/cc754657(v=WS.10).aspx


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)



    • Edited by DonPick Saturday, May 3, 2014 10:55 PM
    • Marked as answer by MSDN Student Monday, May 5, 2014 3:12 PM
    Saturday, May 3, 2014 10:47 PM
  • Completely agree with the above post from Don. Modifying local logon rights for domain members can have very negative and unexpected results. 

    Just in case this isn't the scenario or environment that is relevant to you, I will try to answer your original question:

    >How can I create the same GPO... but the permission of Allow log on locally is granted to the user... >only on a few specific machines in the domain?

    In order to apply User GPO settings to computers, you will need to use a feature of group policy called loopback policy processing.

    More information about this feature and how it can be implemented are below:

    http://technet.microsoft.com/en-us/library/cc978513.aspx

    So you're overall process if you wanted to allow local logon to a specific machine would be:

    1) Create a GPO with the Loopback policy setting enabled, and with the "allow logon locally" settings you require.

    2) Within your Active directory, move the 1 computer you want these settings to apply to an Isolated OU or a sub-OU of it's current location. ( You could potentially just apply the necessary permissions on the GPO so that that they only apply to the respective machine, but this can potentially cause problems in the future if you forget how this was implemented)

    3) Link the GPO to the OU containing the computer. 

    Please note, you will need to restart the machine before these settings get successfully applied.

    Hope this helps and best of luck! :)

    Sean

    • Marked as answer by MSDN Student Monday, May 5, 2014 3:13 PM
    Sunday, May 4, 2014 8:30 AM

All replies

  • There are two sets of policy:

    GPO that apply to computer

    GPO that apply to user

    Now it depends on which organization object are you applying the policy. If you were created organization unit (OU), include computer here and apply GPO to this OU, then the GPO is executed for any computer that is inside OU, unless you apply filtering.

    Do not forget that it will take some time until the policy is applied to target, unless you make GPO effective with command gpupdate with parameter force. Without doing it the time elapsed is between 1 and 1,5hour.

    For study of GPO I recommend book from Jeremy Moskowitz: Group Policy .... (2013, 2nd Ed)

    Regards

    Milos

    Saturday, May 3, 2014 6:08 AM
  • Can you show me how to do this. I am on this screen and I can right click and say edit and then go into omputer ConfigurationPoliciesWindows SettingsSecurity Settings, and Local Policies, and then click User Rights Assignment.

    but it is not targeting any specific server. Can you give me the steps to target specific server in this screen below?


    val it: unit=()

    Saturday, May 3, 2014 6:49 PM
  • Can you show me how to do this. I am on this screen and I can right click and say edit and then go into omputer ConfigurationPoliciesWindows SettingsSecurity Settings, and Local Policies, and then click User Rights Assignment.

    but it is not targeting any specific server. Can you give me the steps to target specific server in this screen below?

    Hi,

    from your example, we can see that you are editing the GPO named: Default Domain Controllers Policy (DDCP).

    This is a GPO that you shouldn't adjust, without careful planning, design and understanding, because it only applies to your Domain Controllers (DCs), and, it applies to *ALL* DCs, *AND* configuration changes to DCs affect your whole forest/domain.

    So, unless you are intending to make this change globally, don't do this change, to this GPO.

    We can also see that your domain, does not have any new Organisational Units (OUs) created.
    Usually, create an OU for users, and another OU for computers. (Actually, usually, several such OUs are created, based on your plan/design).
    Then, create the desired GPO, add desired settings to that GPO, then, link that GPO to the desired OU (where you want the settings to apply).

    http://technet.microsoft.com/en-US/library/cc754948.aspx

    The dedicated GP forum, is here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverGP

    By default, when a computer is joined to a domain (so it becomes known as a domain member), the builtin security principal of "Domain Users" (which represents all user accounts in the domain) is added to the "Users" group of the domain member machine. This allows any/all/every domain user account to logon locally to the member machine. If you change/deny/revoke this permission, ensure that you scope the settings/policy correctly! (if not, you will be dis-allowing all logons to that machine, and it is annoying and frustrating to perform recovery) (which is fine if you are learning in a test environment, but can be disastrous in a production environment :)

    Here is a beginners guide/example: http://technet.microsoft.com/en-us/library/cc754657(v=WS.10).aspx


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)



    • Edited by DonPick Saturday, May 3, 2014 10:55 PM
    • Marked as answer by MSDN Student Monday, May 5, 2014 3:12 PM
    Saturday, May 3, 2014 10:47 PM
  • Completely agree with the above post from Don. Modifying local logon rights for domain members can have very negative and unexpected results. 

    Just in case this isn't the scenario or environment that is relevant to you, I will try to answer your original question:

    >How can I create the same GPO... but the permission of Allow log on locally is granted to the user... >only on a few specific machines in the domain?

    In order to apply User GPO settings to computers, you will need to use a feature of group policy called loopback policy processing.

    More information about this feature and how it can be implemented are below:

    http://technet.microsoft.com/en-us/library/cc978513.aspx

    So you're overall process if you wanted to allow local logon to a specific machine would be:

    1) Create a GPO with the Loopback policy setting enabled, and with the "allow logon locally" settings you require.

    2) Within your Active directory, move the 1 computer you want these settings to apply to an Isolated OU or a sub-OU of it's current location. ( You could potentially just apply the necessary permissions on the GPO so that that they only apply to the respective machine, but this can potentially cause problems in the future if you forget how this was implemented)

    3) Link the GPO to the OU containing the computer. 

    Please note, you will need to restart the machine before these settings get successfully applied.

    Hope this helps and best of luck! :)

    Sean

    • Marked as answer by MSDN Student Monday, May 5, 2014 3:13 PM
    Sunday, May 4, 2014 8:30 AM
  • try this

    http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx

    Sunday, May 4, 2014 3:02 PM
  • try this

    http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx


    that is the article which the OP started with.......

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, May 4, 2014 10:18 PM