Local Policies

[Guest]

Hi

I need to prevent all domain users (except for two users) from access
a computer. This computer contain payroll information, so you see how
secure this has to be. If I edit the Local policies > Log on Locally,
that seem to work. But will the Domain Policy override the local
policy. If yes, what is the best way to prevent users from logging
into this computer?

- I also removed the Admin shared drives (C$, D$)
- disable to guest account
- change the Administrator password.

Is there anything else that I should do?


Thanks!

 

[Miha Pihler]

Hi,

in your domain, put these two computers in separate OU and apply policy at
OU level instead of local policy.

You might also want to check the policy "Access this computer from the
network" and limit users who can do this.

Mike

 

[Roger Abell]

Hi

I need to prevent all domain users (except for two users) from access
a computer. This computer contain payroll information, so you see how
secure this has to be. If I edit the Local policies > Log on Locally,
that seem to work. But will the Domain Policy override the local
policy. If yes, what is the best way to prevent users from logging
into this computer?

Yes, domain delivered policy overrides local settings.
If you cannot get domain admin to configure this securely
then do not have the machine in the domain. Otherwise,
one can set anything (and more) from domain GPO that
can be set in local policy.

- I also removed the Admin shared drives (C$, D$)
- disable to guest account
- change the Administrator password.

Is there anything else that I should do?

Oh yes. You could shut off the Server (and hence
Browser) service which will prevent any network
sharing. Also, turn on that firewall, which will
prevent unsolicited incoming attempts to get at the
machine. There is more, in fact one can almost
endlessly refine what one does to "secure" a box.