Prevent Domain Users from logging on to specific PCs w/ Group Policies

[David Reed]

Hi everyone,

I want to create a Group Policy that I can apply to my personal desktop and
the servers that I manage (which are NOT DC's), so that only myself and
other administrators can log on to them (at all).

Can someone offer a suggestion on how I would go about specifying exactly
who can and who cannot log into specific MS 2k Pro workstations, as well as
some MS Windows 2k Servers?

Thanks,

David

 

[Guest]

AD user and computers
Computers
your computer
right click properties
security

Greenman

 

[Tim Hines [MSFT]]

There are 2 policy settings that you can use to do this. You can do this using the "logon locally" setting or the "deny logon locally". I've included more information below.

Log on locally
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Description
Determine which users can log on at the computer.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

The default groups that have this right on each platform are:

a.. Workstations and Servers
a.. Administrators
b.. Backup Operators
c.. Power Users
d.. Users
e.. Guest
b.. Domain Controllers
a.. Account Operators
b.. Administrators
c.. Backup Operators
d.. Print Operators
Note

To allow a user to log on locally to a domain controller, you have to grant this right by means of the Default Domain Controller GPO.

Related Policies



Deny logon locally

Deny logon locally
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Description
Determines which users are prevented from logging on at the computer. This policy setting supercedes the Log on locally policy setting if an account is subject to both policies.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

By default, there are no accounts denied the ability to logon locally.




--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[David Reed]

Good Morning,

Forgive me if I misunderstand. How will that prevent people from logging on
(at all?) Does that option allow people to log on locally? I want to
prevent ANYONE besides myself from logging on to specific Win2k Pro systems,
either locally or through the domain.

Did I ask the right question?

Regards,

David

 

[Gary Mudgett [MSFT]]

In order to prevent users from logging on at the console of the machine they
need to have the Logon Locally user right. This can be set either in the
Local Security policy or through a GPO that applies to those computers.
Logon Locally does not prevent users from accessing network shares on the
machine, just logging on at the console. Users who do not have that
permission would receive "The local policy of this system does not permit
you to logon interactively." message.

Tim Hines had previously post the following response that I don't know if
you saw:
There are 2 policy settings that you can use to do this. You can do this
using the "logon locally" setting or the "deny logon locally". I've
included more information below.

Log on locally
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Description
Determine which users can log on at the computer.

This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and servers.

The default groups that have this right on each platform are:

a.. Workstations and Servers
a.. Administrators
b.. Backup Operators
c.. Power Users
d.. Users
e.. Guest
b.. Domain Controllers
a.. Account Operators
b.. Administrators
c.. Backup Operators
d.. Print Operators
Note

To allow a user to log on locally to a domain controller, you have to grant
this right by means of the Default Domain Controller GPO.

Related Policies



Deny logon locally

Deny logon locally
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Description
Determines which users are prevented from logging on at the computer. This
policy setting supercedes the Log on locally policy setting if an account is
subject to both policies.

This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and servers.

By default, there are no accounts denied the ability to logon locally.




--
--
Gary Mudgett, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[David Reed]

I seem to have this policy set correctly, but it just plain doesn't seem to
actually apply.

When I use GPRESULT from the CMD prompt, it doesn't show it as being
applied.

I have checked the "No Override" option.

Any idea what I might be missing?

Thanks,

David Reed

 

[David Reed]

I should also mention that the Group Policy actually WAS working once, in
fact,
TOO well, because no one on the network suddenly could log in to even their
computers,
except me. Ooops. I disabled the policy and used c:\secedit /refreshpolicy
machine_policy /enforce
and put it back. But now the policy doesn't work on MY computer (which is
one of only
two computers in the "IT" OU...the other being my "Network Administration"
PC, which
I also want the GP to apply to. But it doesn't seem to apply to anything
anymore.

It's like I applied it, then it worked, then I disabled it, and now I can't
"re-enable" it,
and make sure it only applies to the "IT" OU I want it to apply to.

Got any ideas?

David Reed

 

[Gary Mudgett [MSFT]]

It could be a permission issue now to the actual policy. The machine would
need be a member of a group that still has Read and Apply Group Policy
permissions.

To see what is occurring when querying for the policies we would need a
userenv.log file from a machine it is supposed to apply to. That can be
enabled through the registry mentioned in the following article:
221833 How to Enable User Environment Debug Logging in Retail Builds of
Windows
http://support.microsoft.com/?id=221833

Gary

 

[David Reed]

Hi there,

Here is the log file from my Administrator machine, which is one of the PC's
the policy is supposed to apply to:
(btw...when I use GPRESULT, it does NOT show the GP as being applied either)

===
USERENV(b8.224) 14:58:11:287 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(b8.24c) 14:58:18:823 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(b8.24c) 14:58:21:351 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(b8.230) 15:29:34:850 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(b8.22c) 15:37:18:596 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(b8.224) 15:53:31:187 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(b8.220) 16:10:12:380 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(b8.70) 16:28:07:210 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(b8.228) 16:34:06:600 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.74) 17:17:34:305 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.21c) 20:27:48:596 ProcessGPOs: Extension Application Management
ProcessGroupPolicy failed, status 0x3.
USERENV(bc.228) 20:33:46:803 ProcessGPOs: Extension Application Management
ProcessGroupPolicy failed, status 0x3.
USERENV(bc.22c) 20:42:38:991 ProcessGPOs: Extension Application Management
ProcessGroupPolicy failed, status 0x3.
USERENV(bc.a4) 21:03:45:545 MyRegUnLoadKey: Hive unload for
S-1-5-21-842925246-507921405-725345543-1135_Classes failed due to open
registry key. Windows will try unloading the registry hive once a second
for the next 60 seconds (max).
USERENV(bc.a4) 21:04:45:791 MyRegUnLoadKey: Windows was not able to unload
the registry hive.
USERENV(bc.a4) 21:04:45:791 MyRegUnLoadKey: Failed to unmount hive 5
USERENV(bc.a4) 21:04:45:801 UnLoadClassHive: failed to unload classes key
with 5
USERENV(bc.a4) 21:04:45:811 DumpOpenRegistryHandle: 2 user registry Handles
leaked from
\Registry\User\S-1-5-21-842925246-507921405-725345543-1135_Classes
USERENV(bc.220) 21:06:36:819 ProcessGPOs: Extension Application Management
ProcessGroupPolicy failed, status 0x3.
USERENV(bc.228) 21:20:04:915 MyGetUserName: GetUserNameEx failed with 1326.
USERENV(bc.228) 21:20:05:706 MyGetUserName: GetUserNameEx failed with 1326.
USERENV(bc.228) 21:20:06:347 MyGetUserName: GetUserNameEx failed with 1326.
USERENV(bc.228) 21:20:07:188 MyGetUserName: GetUserNameEx failed with 1326.
USERENV(bc.228) 21:20:07:188 ProcessGPOs: MyGetUserName failed with 1326.
USERENV(bc.20c) 21:31:10:426 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.220) 21:39:36:865 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.23c) 21:50:13:024 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.220) 21:52:08:836 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.494) 21:56:41:140 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.228) 21:58:34:815 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.228) 22:17:51:835 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.224) 22:24:21:966 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.23c) 00:22:22:046 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.208) 00:30:47:988 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.1f4) 02:00:49:652 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.1f4) 03:45:50:194 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.1f4) 05:29:50:631 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.1f4) 07:16:51:072 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.1f4) 09:15:51:531 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.1f4) 10:52:51:877 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.1f4) 11:33:52:063 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.74) 11:36:03:526 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.74) 13:30:21:237 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.214) 14:00:28:855 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.24c) 14:04:37:631 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.220) 14:08:17:736 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.4a0) 15:53:59:584 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.4a0) 17:40:00:823 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.210) 19:31:30:360 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.20c) 20:25:10:676 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.224) 22:03:29:270 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.224) 23:35:28:793 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.224) 01:34:28:080 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.224) 03:24:26:620 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.224) 05:12:23:048 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.224) 07:09:25:106 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.224) 09:05:02:491 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.74) 10:45:38:858 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
USERENV(bc.238) 12:34:53:544 EvaluateDeferredOUs: Object
<OU=IT,OU=ADMINSYSTEMS,DC=mydomain,DC=com> cannot be accessed
===

David