deny logon locally for other domain users

[GM]

Hi,

I want to make my computer (OS=Win2KPro) only accessible for certain
domain users. The domain my PC is on, is a Win2000 domain.
So on my PC, I created a group DenyLogon and added all those
users/groups who I want to deny to login. So I added this group
DenyLogon to the Deny Logon Locally policy of my PC ... but, this
approach doesn't seem to work (yes I rebooted my computer after wards) :-(

Anyone an idea what I did wrong ? Or can this only be accomplished by
editing the domain policies ?

Thanx in advance,

Gaëtan Martens

 

[Dmitry Korolyov [MVP]]

I believe the actual problem is in effective settings of the policy. I
assume you have edited "Deny Logon Locally" settings in local security
policy on these PCs. However, in Default Domain Policy this setting is also
defined, and the list is empty. Since domain policies override local
policies, the effective setting is that noone is denied local (interavtive)
logon privilege.
So yes, you have to edit domain policy. In fact, it would be a good idea to
create a policy specially for that purpose, define the setting(s) in that
policy, and apply it to all required computer accounts.

 

[GM]

So yes, you have to edit domain policy. In fact, it would be a good idea to
create a policy specially for that purpose, define the setting(s) in that
policy, and apply it to all required computer accounts.

Ok thanx,
but 1 major question: how do I do that ?

Gaëtan Martens