locking users out of all domain workstations

  • Thread starter Thread starter Blaqb0x
  • Start date Start date
B

Blaqb0x

Hi,

Is it possible to create a domain group whose users are NOT allowed to log
into any of the domain computers?

At the moment, I'm authenticating my email server to AD but, I don't want
some users to login to domain workstations.

Thanks.
 
You need to take control of the user login rights of each machine,
which potentially could be done with group policy.

If you have not done so already, taking control over (the positively
stated) logon user rights can be a daunting task in an already set up
environment. If you have however, then you are already stating
precisely what accounts can log into which machines in what way.

The alternative is to make use of the negetively stated login rights.
Now, you probably do not want to use Domain Users, unless you
are sure that each and every account that holds membership in
that group should be affected, but if you use a GPO to add some
domain group to the Deny local login user right, and/or the Deny
network login user right, then members of that custom group will
not be able to use the respective type of login with any computer
that is subjected to the GPO. One further issue however is that
when you do this you are completely taking over those Deny
user rights (things already in there, like Guest, Support....,
Asp.Net, etc.) get wiped out, and those are often unique per
computer.
 
Back
Top