You can set Deny Logon Locally or you could set a policy that removes the
users ability to "logon Locally" . I've pasted information about the
settings below.
Deny logon locally
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment
Description
Determines which users are prevented from logging on at the computer. This
policy setting supercedes the Log on locally policy setting if an account is
subject to both policies.
This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and servers.
By default, there are no accounts denied the ability to logon locally.
Log on locally
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment
Description
Determine which users can log on at the computer.
This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
a.. Workstations and Servers
a.. Administrators
b.. Backup Operators
c.. Power Users
d.. Users
e.. Guest
b.. Domain Controllers
a.. Account Operators
b.. Administrators
c.. Backup Operators
d.. Print Operators
Note
To allow a user to log on locally to a domain controller, you have to grant
this right by means of the Default Domain Controller GPO.
Related Policies
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
