local admin w/o network rights

[pittspeed]

i made a post yesterday on how to implement a GPO for a 'desktop admin' that
could work on a local machine but have no network access.... since i've
followed the steps of creating the security group 'desktop admin' with local
admin rights.... then i added a user to the member of desktop admin...

then i went to my current administrator GPO and added the restricted user as
outlined in this responce

"For example, to add a domain group to the power users group (local
only):

Load a GPO and navigate to Computer Configuration\Windows Settings\Security
Settings\Restricted Groups

Right-click and choose add.

Enter Power Users (don't use Browse)

Double-click on Power Users (once it's been added) and add the new group
Desktop Admins to the 'Members of this group' section.

Upon policy refresh, the new group will be added to the local power users
groups on local PCs"

after a reboot and policy refresh my user has full network rights and is
wide open in all aspects. So i did something incorrectly, do you have any
suggestions?

i was thinking about it and created a new org. unit with a new GPO and did
the restricted user and still, the user has full blown rights. I'm
confused... any insight?

thanks in advance.

 

[Steven L Umbach]

To prevent a user from accessing computers over the network, add that user/group to
the "deny accessing this computer from the network" user right in security policy
under security settings/local policies/user rights. You could do that at the domain
or Organizational Unit level if you use OU's. Do not however do that in Domain
Controller Security Policy or in the Local Security Policy of domain controllers as
that user/group may not be able to logon to the domain then. --- Steve

 

[pittspeed]

Thanks Steve,

i'm going to try this today using OU's... i do have numerous Org Units...
thanks for the help!!!!