Disabling Interactive Login

G

Guest

We've been working on an in-house application that works through an portal.
Users who log-in through this portal use LDAP to authenticate through Active
Directory.

Is is possible to make these logins disabled from being able to
Interactively Login to a desktop machine on the domain..?

If so which method would be the best way..? Using Group Policies or is there
a better option within Active Directory.

Thanks,
 
S

Steven L Umbach

You can configure security policy which is a subset of Group Policy to
modify user rights for logon locally or deny logon locally. For instance
you could create a global group and add it to the deny logon locally user
right via Group Policy to all computers in a domain or Organizational Unit.
Be careful with deny user rights as they override the companion allow user
right and keep in mind that administrators are members of users,
authenticated users, and everyone groups. --- Steve
 
G

Guest

Is it possible to create this sort of a policy and apply it only to a Group
of users rather than to a whole Domain..? My biggest concern is applying a
policy that will lock all users down, this is only required for users in a
specific OU
 
S

Steven L Umbach

Sure. Create the global group you want to deny access to, add the users to
the group, and then give this group deny logon locally user right to the
computers you do not want them to logon to interactively which can be done
via Group Policy at the domain or OU level. --- Steve
 
G

Guest

Is there a website that discribes how to create this Security Policy within a
Group Policy..? I've created a Group Policy within the OU, but I haven't been
able to find out how to apply the "deny logon locally user right".. Thanks
 
S

Steven L Umbach

Open the Group Policy as an administrator and go to computer
configuration/Windows settings/security settings/local policies/user rights
and you can then configure user rights to your needs. --- Steve
 
G

Guest

Figured the reason it wasn't working was because in the Permission tab of the
Group Policy, Authenticated users didn't have the "Apply Policy" checked.
Used the policy and applied it against a Group and the Policy worked.. Note
for anyone else out there doing the same thing. Also remember to remove them
from having Terminal Services access and your pretty much right.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Trouble Authenticating users from trusted domains 5
Windows Authentication - How to allow users to change passwords andother account services? 2
using login credentials for HTTPwebrequest basic/digest authentica 5
Interactive users group - Could it be a BUG ? 1
W2K Server Error Event 1000 / Source Userenv 1
cannot login remotely as administrator 3
Cannot login interactively...? 6
logon problem 2

Top