prevent domain users to log on locally (Win2000Server)

G

GM

Hello,

I have a very simple question:
"How can I prevent that certain domain users can locally log in on a
specific computer that is part of the domain? "

The specific pc (Win2000Pro) is on a Windows2000 domain.

What domain-policies should be changed and how can this policy be
applied to the specific computer account ?

Thnx,

Gaëtan Martens
 
G

Guest

How about a local security policy on that PC, preventing xyz group from logging on locally??
 
G

GM

Firmbyte said:
How about a local security policy on that PC, preventing xyz group from logging on locally??
Click to expand...
I already tried it but it doesn't work since domain policies override
the local policies.
 
S

Steven L Umbach

Then you would need to put that computer in it's own OU - possibly a child OU of
where it is now and then create a new GPO for that OU and configure the logon locally
user right at that OU to meet your needs. --- Steve
 
G

GM

My computer is now in a map (child of the domain root) called
"Computers" in Active Directory. So I created a new OU which is also a
child of the domain root in Active Directory (it is not possible to
create an OU that is a child of the map "Computers") and made my PC a
member of this OU (I had to remove it first from "Computers" )
I created a new Group Policy with the log on locally policy specifically
set for my account (and Administrators)

But when I attempt to log in, I get an error message: "the system cannot
log you on to this domain because the system's computer account in its
primary domain is missing or the password on that account is incorrect"
(I'm sure the password is correct)

So I have to Add my computer again to "Computers" and remove it from my
newly created OU so I am back to zero.

What did I do wrong ?
 
S

Steven L Umbach

The OU has to be created in the same domain that your computer account exists in -
apparently the child domain. There error you mention indicates a problem with your
domain computer account and should have nothing to do with moving your computer into
a different OU in the same domain. OU's are simply boundaries for managing
policy/delegation and organizing user/computers. You may need to unjoin and rejoin
your computer to the domain to fix your computer account. --- Steve
 
G

GM

Yes, everything works now as I desired !
I just had to "move" the computer account (right-click on the computer
account in Active Directory and the choose move) to the OU I created.

Thanx for your advice Steven !
(mmmm I prob. could become a good system administrator :) )
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

deny logon locally for other domain users 2
Can't assign "log on locally" right 1
Effective Setting Greyed Out and Cannot Invoke Settings in 'Log on locally' 5
Question about Log on Locally Policy. 4
Administrator Unable to Logon Locally? 4
Recover from log on locally domain setting 10
Default Domain Policy 5
Logon Locally problem. 1

Top