Preventing access for user objects

[Guest]

Here is my situation: Our developers in Human Resources have developed code to authenticate users logging onto their HR web site against Active Directory. They have asked that we create user accounts for everyone in the company, even though they do NOT need other network access and are not intended to access the network, so they can access web pages and be authenticated against Active Directory. This way they do not need to maintain their own user database. These users are all located in one OU. I am looking to allow these users to authenticate against AD, but not logon locally to any machine, access network shares, etc. I've tried restriced Logon To.. to <no computer> and to the servers hosting the web application their are logging into. Both prevent logon AND access to the web application

As far as GPOs go, the best solution I can think of is to create a group called, HRUsersOnly (or something) in the Computer Configuration area and apply to all computers on the network (except maybe the Domain Controllers).
ENABLE - Deny access this computer from the networ
ENABLE - Deny logon as a servic
ENABLE - Deny logon locall

Any other ideas or feedback on this idea? Also, account administrators are getting into this OU and modifying group memberships, adding email addresses, etc. I've got to tighten security on these users. Please help

Thanks
Jeff

 

[Tomasz Onyszko]

Here is my situation: Our developers in Human Resources have developed code to authenticate users logging onto their HR web site against Active Directory. They have asked that we create user accounts for everyone in the company, even though they do NOT need other network access and are not intended to access the network, so they can access web pages and be authenticated against Active Directory. This way they do not need to maintain their own user database. These users are all located in one OU. I am looking to allow these users to authenticate against AD, but not logon locally to any machine, access network shares, etc. I've tried restriced Logon To.. to <no computer> and to the servers hosting the web application their are logging into. Both prevent logon AND access to the web application.

As far as GPOs go, the best solution I can think of is to create a group called, HRUsersOnly (or something) in the Computer Configuration area and apply to all computers on the network (except maybe the Domain Controllers).
ENABLE - Deny access this computer from the network
ENABLE - Deny logon as a service
ENABLE - Deny logon locally

Any other ideas or feedback on this idea? Also, account administrators are getting into this OU and modifying group memberships, adding email addresses, etc. I've got to tighten security on these users. Please help!

OK, maybe some other way to maintein accounts database - for such
solutions the ADAM is the best thing You can use. Creating users objects
only for authenticationg users on the web is in my opinion not a good
thing - a user is security principal - so If he or she don't use any
other resources why give to them a proper user account.