Deny User Login Rights on DC

D

dfcrj

Here's my layout, we are in a single 2003 domain with 4 sites. Each
site has a DC installed. We have a user in one of the sites who walks
over to the server and logs in using their username and password into
the domain. This person is a domain admin, I do not not want him to
log into the server ever. How can I deny him the right to log in on
that server only.

I've tired the following and can't get it to work on that server in
that site.
1.) Domain Controller Security Policy - Deny Local Logon - username
2.) Domain Security Policy - Deny Local Logon - username.

I just want to deny login only on that server.
Please Help..
 
J

Jerold Schulman

Here's my layout, we are in a single 2003 domain with 4 sites. Each
site has a DC installed. We have a user in one of the sites who walks
over to the server and logs in using their username and password into
the domain. This person is a domain admin, I do not not want him to
log into the server ever. How can I deny him the right to log in on
that server only.

I've tired the following and can't get it to work on that server in
that site.
1.) Domain Controller Security Policy - Deny Local Logon - username
2.) Domain Security Policy - Deny Local Logon - username.

I just want to deny login only on that server.
Please Help..
Click to expand...


Default Domain Controller Policy.


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
B

Brian Desmond [MVP]

Domain Admins can login to DCs. You can't work around this without removing
them from domain admins and delegating them authority to do what they need
to do.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com
 
C

Colin Nash [MVP]

And even if you could restrict him... he could just go in and unrestrict
himself.
 
D

dfcrj

I thought that since he was given domain admin rights that it would
have an effect, but I also thought a "deny" policy would override any
"allow" policy. How can I remove him as a domain admin but given him
rights to just one site to make small changes, like reset passwords,
and maybe install updates to local pc's?
thanks
 
B

Brian Desmond [MVP]

You can use the delegation wizard in AD Users & Computers for things like
password resets.

As far as administering local PCs, I would setup a group in AD called
DesktopAdmins, or something like that, add him & other appropriate people to
it, and then use Group Policy, and set the local ADministrators group to be
restricted, add Domain Admins, DesktopAdmins, etc.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Deny logon locally 1
0x80070569: Logon failure: the user has not been granted the requested logon type at this computer. 1
Merging User Rights Assignments 1
Login to domain 1
Deny authentication for a user group 3
remove sub-domain on root domain 2
How to deny user log on to local computer? 2
Unable to logon Domain Contoller after DCPromo 2

Top