Skip to main content

Deny and allow workstation logons with Group Policy

One of the bigger challenges in some Active Directory environments is controlling who is allowed to log into workstations. By default, every user in AD automatically gets added to Domain Users. Domain Users is, once again by default, included in the local Users group on workstations when the workstations get added to AD. That means that unless you take action on either the user account or the computer configuration, any user account in your AD environment can log into any computer whether you want them to or not. If you’re in a smaller AD environment, this may not be a problem for you: you can go to the Account tab in Active Directory Users and Computers, click the “Log On To…” button and specify the computers the user is allowed to use.
However, in a larger environment, managing individual accounts can be very time consuming, especially if you have to manually specify computer names for every single user account that needs limited access. You can also run into other authentication problems using “Log On To…” if the account needs to access network resources.
The good news is that there is a Group Policy setting that works with every version of Windows that can be managed with Group Policy from Windows 2000 through Windows 8 that will solve this problem for you. These settings can be found in Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment.


Deny log on locally 

 The “Deny log on locally” specifies the users or groups that are not allowed to log into the local computer. This policy can be found in Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Deny log on locally.

 

 

In my example, I’ve created a special group just for user accounts that I don’t want logging into an OU of computers. However, you can use any AD group here. Just avoid default AD groups like Domain Users or any of the Admin groups if you don’t want to get locked out.

Allow log on locally

The “Allow log on locally” setting specifies the users or groups that are allowed to log into the local computer. This policy can be found in Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Allow log on locally.


In my example, I’ve included the local workstation Administrators group, Domain Admins, and an AD group called “Allow Computer Logons.” With this configuration, only user accounts that are members of the local Admins group on the computer or one of the two AD groups are allowed to log in. Just as a reference, here is the default configuration for Windows 7:



And here is the error message they will see on Windows Vista or 7 (the message is the same for both except for the OS name):

Tips

The Group Policy Management Console references Microsoft Knowledge Base article Q823659 for the Allow log on locally setting. Despite the old-style “Q” naming convention that is referenced, the article is fairly current and still applies to the newer versions of Windows. The KB article gives several examples of harmful configurations and a few more justifications for why you should consider using these two settings.
  • Here are a few things to keep in mind if you decide to implement these settings:
  • DO NOT apply them to Domain Controllers.
  • DO NOT put the settings into either of the default GPO’s for Default Domain Policy or Default Domain Controllers Policy.
  • Deny trumps allow. If a user is in both Allow log on locally and Deny log on locally, Deny always wins.
  • Be on the lookout for software that creates local service accounts that need to be included in Allow Log on Locally. VMware Workstation and VMware Player have functionality that will not work unless the service account they create is included in Allow Log on Locally.
  • Only apply these settings to sub-sets of computers and not the entire Domain.

Comments

  1. Active Directory Group Policy Management4 February 2020 at 03:27

    Thanks for sharing Active Directory Group Policy Management tips. for more info i rfer cion systems Active Directory Group Policy Management in USA.

    ReplyDelete

Post a Comment

Popular posts from this blog

Bridging Ethernet Connections - Ubuntu/Fedora

Installing bridge-utils Adept Search for bridge-utils and choose the drop-down arrow on the left. Choose "request install". Konsole: Enter this into Konsole: sudo apt-get update sudo apt-get install bridge-utils If you use sudo -i and enter your password, then you will not have to use sudo before each command. It may also save you some typing in the future. Setting up the Bridge Ensure that both (or all) of your interfaces are installed and enabled. If they are then you may proceed at this point. For a few moments, if your computer is connected to the internet then it will be disconnected until a certain point is reached. Open Konsole and use the following commands. Note that when interfaces are referenced, they refer to device names assigned by linux such as "eth0" and "eth1". Also note that myBridge is the name of the bridge that you wish to have. This can be anything, but a simple name like bridge0 or bridge1 is s...
Post a Comment
Read more

What are the few major differences between 2003,2008 & 2012

2003-IIS 6.0 2008- IIS 7.0 2008R2- IIS-7.5 2012-IIS 8 ---------------------- 2003-32 AND 64 BIT AVAILABLE 2008-32AND 64BIT AVAILABLE 2008R2- ONLY 64BIT AVAILABLE 2012 - ONLY 64 BIT AVAILABLE ------------------------------------------ 2003 KERNAL VER. -5.2 2008 KERNEL-6.0 2008 R2-6.1 2012-6.2 ------------------------------------------ 2003- IE VERSION 6.0 2008- IE VERSION 7.0 2008 R2 IE VERSION 8.0 2012 IE VERSION 10.0 2012 R2 IE VERSION 11.0 ----------------------- 2003- AD ADMINISTRATIVE CENTER NOT AVAILABLE 2008- NOT AVAILABLE 2008 R2- AVAILABLE 2012- AVAILABLE -------------------------------------
Post a Comment
Read more

Microsoft Active Directory

> What Intrasite and Intersite Replication? Intrasite is the replication within the same site & intersite the replication between sites. > What is lost & found folder in ADS? It’s the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder. > What is Garbage collection? Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours. > What System State data contains? Contains Startup files, Registry Com + Registration Database Memory Page file System files AD information Cluster Service information SYSVOL Folder >What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS ser...
Post a Comment
Read more