I need to deny 'Domain Users' from logging in.

  • Thread starter Thread starter Matt
  • Start date Start date
M

Matt

Guest
ok, I have to admit, I'm no expert. But here is what I'm trying to do.

I have a 2003 solitary domain. It has a bunch of users. ok, so far so
good. Well I now have new XPe machines to add to this domain. the users of
the XPe machines are a different class of user than the existing users. I
want XPe users to log only into those machines, and the existing Domain Users
to not be able to long into the new machines at all.

so here is what i thought would work. i created a new OU. Linked a new GPO
to it. inside the OU i have the new XPe test units active directory computer
and a test user to log into this machine. both the computer and user are
member of a group called Sales Staff. and only that group.

outside of the OU, where all the original users exist, i have another test
user who belongs to Domain\Domain Users.


now the GPO. I've drilled down to Computer Config -> Windows Settings ->
Security Settings -> Local Policies -> User Rights Assignment. here i have
tried to both change the 'Deny Logon Locally' to 'Domain\Domain Users' and
also try setting 'Log On Locally' to 'Domain\Sales Staff'.

so far, I'm not getting any result. my test user that is part of Domain
Users can still log in. I know the GPO is getting applied as other changes i
make seem to work just fine.

Anyone have any great ideas? thanks so much for your time.

Matt
 
Re: I need to deny 'Domain Users' from logging in.

Hello Matt,

So, for what reason do you add the workstations to the domain? When only
local machine users should logon to them?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> ok, I have to admit, I'm no expert. But here is what I'm trying to
> do.
>
> I have a 2003 solitary domain. It has a bunch of users. ok, so far
> so good. Well I now have new XPe machines to add to this domain. the
> users of the XPe machines are a different class of user than the
> existing users. I want XPe users to log only into those machines, and
> the existing Domain Users to not be able to long into the new machines
> at all.
>
> so here is what i thought would work. i created a new OU. Linked a
> new GPO to it. inside the OU i have the new XPe test units active
> directory computer and a test user to log into this machine. both the
> computer and user are member of a group called Sales Staff. and only
> that group.
>
> outside of the OU, where all the original users exist, i have another
> test user who belongs to Domain\Domain Users.
>
> now the GPO. I've drilled down to Computer Config -> Windows Settings
> -> Security Settings -> Local Policies -> User Rights Assignment.
> here i have tried to both change the 'Deny Logon Locally' to
> 'Domain\Domain Users' and also try setting 'Log On Locally' to
> 'Domain\Sales Staff'.
>
> so far, I'm not getting any result. my test user that is part of
> Domain Users can still log in. I know the GPO is getting applied as
> other changes i make seem to work just fine.
>
> Anyone have any great ideas? thanks so much for your time.
>
> Matt
>
 
Re: I need to deny 'Domain Users' from logging in.

I have to agree with Meinolf. Why did you try to add them to the domain
in the first place? Why not leave them in a workgroup by themselves? They do
not need to be in the domain just because they are on the same network.

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6696d0d8ca6eef98042535@msnews.microsoft.com...
> Hello Matt,
>
> So, for what reason do you add the workstations to the domain? When only
> local machine users should logon to them?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> ok, I have to admit, I'm no expert. But here is what I'm trying to
>> do.
>>
>> I have a 2003 solitary domain. It has a bunch of users. ok, so far
>> so good. Well I now have new XPe machines to add to this domain. the
>> users of the XPe machines are a different class of user than the
>> existing users. I want XPe users to log only into those machines, and
>> the existing Domain Users to not be able to long into the new machines
>> at all.
>>
>> so here is what i thought would work. i created a new OU. Linked a
>> new GPO to it. inside the OU i have the new XPe test units active
>> directory computer and a test user to log into this machine. both the
>> computer and user are member of a group called Sales Staff. and only
>> that group.
>>
>> outside of the OU, where all the original users exist, i have another
>> test user who belongs to Domain\Domain Users.
>>
>> now the GPO. I've drilled down to Computer Config -> Windows Settings
>> -> Security Settings -> Local Policies -> User Rights Assignment.
>> here i have tried to both change the 'Deny Logon Locally' to
>> 'Domain\Domain Users' and also try setting 'Log On Locally' to
>> 'Domain\Sales Staff'.
>>
>> so far, I'm not getting any result. my test user that is part of
>> Domain Users can still log in. I know the GPO is getting applied as
>> other changes i make seem to work just fine.
>>
>> Anyone have any great ideas? thanks so much for your time.
>>
>> Matt
>>
>
>
 
Re: I need to deny 'Domain Users' from logging in.

I need to have domain authentication for access to applications.

any ideas? Thanks again.



"Meinolf Weber" wrote:

> Hello Matt,
>
> So, for what reason do you add the workstations to the domain? When only
> local machine users should logon to them?
>
> Best regards
>
> Meinolf Weber
 
Re: I need to deny 'Domain Users' from logging in.

That is an entirely separate question. You are talking about users having
access to resources. Users do not join domains. Machines join domains.

As an example, W98 machines cannot join AD domains. This does not
prevent W98 users from accessing domain resources.

Put the machines in a workgroup which has the same name as your domain.
Set up an account in AD for each user with the same username and password as
the local account.

When a user does a local login, access to domain resources works because
the credentials offered (ie workgroup/username/password) exactly match a
valid account in AD.

"Matt" <Matt@discussions.microsoft.com> wrote in message
news:88D14155-B851-482A-A360-4550347C6D6C@microsoft.com...
>I need to have domain authentication for access to applications.
>
> any ideas? Thanks again.
>
>
>
> "Meinolf Weber" wrote:
>
>> Hello Matt,
>>
>> So, for what reason do you add the workstations to the domain? When only
>> local machine users should logon to them?
>>
>> Best regards
>>
>> Meinolf Weber
 
Re: I need to deny 'Domain Users' from logging in.

hrm, thats kind of interesting. thanks for that explanation. that helps a
lot.



"Bill Grant" wrote:

> That is an entirely separate question. You are talking about users having
> access to resources. Users do not join domains. Machines join domains.
>
> As an example, W98 machines cannot join AD domains. This does not
> prevent W98 users from accessing domain resources.
>
> Put the machines in a workgroup which has the same name as your domain.
> Set up an account in AD for each user with the same username and password as
> the local account.
>
> When a user does a local login, access to domain resources works because
> the credentials offered (ie workgroup/username/password) exactly match a
> valid account in AD.
>
 
Back
Top