Jump to content

Local Security Policy

msForum

By msForum
in Windows XP

 Share

Recommended Posts

msForum

msForum

Posted
Posted

Hello all,

In regards to Local Security Policy, I want to only allow members of a domain local group the right to logon locally. In the Local Security Policy, there is a place where you can deny logon rights, but in a large environment this can take some time. Is there a way to limit successful access to certain groups, while also denying everyone else?

BTW, I’m not allowed another OU, so I have to do this through LSP.

Thanks for your time. :D


blackwatch

blackwatch

Posted
Posted
Hello all,

In regards to Local Security Policy, I want to only allow members of a domain local group the right to logon locally.  In the Local Security Policy, there is a place where you can deny logon rights, but in a large environment this can take some time.  Is there a way to limit successful access to certain groups, while also denying everyone else?

BTW, I’m not allowed another OU, so I have to do this through LSP.

Thanks for your time.  :D

Unless I'm misunderstanding the situation, you should be able to allow local logon under Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | User Rights Assignment | Logon Locally.

Hope it helps a little.

msForum

msForum

Posted
  • Author
Posted (edited)

I understand that you can assign groups the 'allow logon locally' attribute; however, in regards to doing this with the least amount of admin effort :) - is there a way to say "Allow these two groups, and deny everyone else?"

Edited by msForum
blackwatch

blackwatch

Posted
Posted

You are concerned only with allowing locally? If so, simply allowing those two groups, should deny (or at least not allow) everyone else.

Anyone else should get an error that they are not allowed to logon interactively.

chilifrei64

chilifrei64

Posted
Posted

I dont know if I am misunderstanding this or not.. I see everybody referencing the local policy but you could apply this same policy as a Domain Policy as opposed to the local policy?

msForum

msForum

Posted
  • Author
Posted
I dont know if I am misunderstanding this or not.. I see everybody referencing the local policy but you could apply this same policy as a Domain Policy as opposed to the local policy?

This is a local logon concern - machine specific. In regards to your solution, that would be great if there was an implicit "Deny Anyone not in these groups", but there isn't to my knowledge - there is also no way of adding the "Everyone Group" to the Deny Logon locally setting. I suppose I could create a security group and add the Everyone Group to that, then deny to that group, but I'm not sure if that would then take precedence in regards to the people that are in the allowed group - given of course that Everyone is in the Everyone group :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...