none
Restricting Logon Locally RRS feed

  • Question

  • I have a pretty good idea on how to do this - but I am just looking to get confirmation --

    I have a machine joined to my domain (Win2k8R2) that I want to allow ONLY 3 users and Domain Admins the right to logon (locally or via RDP).

     

    So - what I have done:

    Created a domain local group (LOGON_LYNK MACHINE), added my 3 users and Domain Admins group to this group.  Then I created a new GPO called Lynk Logon Locally and I went to Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> User Rights --> Allow Log on locally & Allow log on through Remote Desktop Services

    If I add this LOGON_LYNK MACHINE group to this GPO setting I am allowing that these users have permissions to logon locally / via RDP.  How do I then restrict logon locally / via RDP to all other users?

    I want to avoid locking myself out - so I am hesitant to test with Deny Log On Locally / via RDP.

     

    Thanks

    sb

    Thursday, May 5, 2011 6:16 PM

Answers

  • When using this GPO, to NOT allow the other users and groups the ability to log on locally, you simply remove/do not add those entries from the list that is allowed.  You should use the DENY log on locally as a last resort.

    For RDP, you do the same.  There is another right called "allow log on locally through Remote Desktop services"

     

     


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, May 6, 2011 1:49 AM

All replies

  • Hello,

    GPOs are applied to users/computers that are located in an OU NOT to security groups.

    You can use security filtering with groups IF the accounts are in the OU where security filtering is used.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, May 5, 2011 10:54 PM
  • When using this GPO, to NOT allow the other users and groups the ability to log on locally, you simply remove/do not add those entries from the list that is allowed.  You should use the DENY log on locally as a last resort.

    For RDP, you do the same.  There is another right called "allow log on locally through Remote Desktop services"

     

     


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, May 6, 2011 1:49 AM
  • Hello,

    GPOs are applied to users/computers that are located in an OU NOT to security groups.

    You can use security filtering with groups IF the accounts are in the OU where security filtering is used.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thank you very much for the reply - I am sorry that I was not more clear - my question was not how to properly scope the GPO object to my domain / site / ou using security group or WMI filtering.

     

    Thanks again for the reply.

    Friday, May 6, 2011 1:55 AM