G
Guest
Here is my situation: Our developers in Human Resources have developed code to authenticate users logging onto their HR web site against Active Directory. They have asked that we create user accounts for everyone in the company, even though they do NOT need other network access and are not intended to access the network, so they can access web pages and be authenticated against Active Directory. This way they do not need to maintain their own user database. These users are all located in one OU. I am looking to allow these users to authenticate against AD, but not logon locally to any machine, access network shares, etc. I've tried restriced Logon To.. to <no computer> and to the servers hosting the web application their are logging into. Both prevent logon AND access to the web application
As far as GPOs go, the best solution I can think of is to create a group called, HRUsersOnly (or something) in the Computer Configuration area and apply to all computers on the network (except maybe the Domain Controllers).
ENABLE - Deny access this computer from the networ
ENABLE - Deny logon as a servic
ENABLE - Deny logon locall
Any other ideas or feedback on this idea? Also, account administrators are getting into this OU and modifying group memberships, adding email addresses, etc. I've got to tighten security on these users. Please help
Thanks
Jeff
As far as GPOs go, the best solution I can think of is to create a group called, HRUsersOnly (or something) in the Computer Configuration area and apply to all computers on the network (except maybe the Domain Controllers).
ENABLE - Deny access this computer from the networ
ENABLE - Deny logon as a servic
ENABLE - Deny logon locall
Any other ideas or feedback on this idea? Also, account administrators are getting into this OU and modifying group memberships, adding email addresses, etc. I've got to tighten security on these users. Please help
Thanks
Jeff