User account logon to domain

[Claudio]

Hi all,

Does anybody knows a answer to the following problem
Where does Windows set the right that a user may do a interactive logon to
the domain on a Windows 2000 workstation. I have removed the user from the
group "Domain users" but the user can still login to the domain by a windows
workstation. I can tell in a policy that a user denied to do a locally
logon. But I want that a user did not have that right, so I does not have to
disable the user to logon, that's more secure.

Thanks for the help.

 

[Miha Pihler]

Hi,

Check this policy on the client. Under Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> Users Rights Assignment.
Here look for "Log on Locally" policy. Double click on it and you will see
the list of users that are allowed to logon locally...

You can change this by editing this policy at e.g. Domain or OU policy. Just
make sure you don't lock yourself out of domain...

Mike

 

[Steven L Umbach]

Mike gave the instructions. I would just add that don't try to remove a domain user
from the domain users group. Instead create a global group of users that you want to
be able to logon locally and add that group and then remove everyone/users, but not
administrators. Another way is to create a global group of users you do not want to
logon and add it to the deny logon locally user right for a workstation but do not
deny logon to users or everyone. This can be done at the OU level for multiple
computers. Domain users can also be restricted to what domain computers they can
logon to in their user account properties in AD Users and Computers. --- Steve