|
Question : Restrict logon with Group Policy
|
|
I have a Windows 2k domain with XP workstations. I have one workstation that I want to restrict logon to one user, let's call him joe. I would like to make this change on the server rather than on the client to make it easier to manage.
I created a new OU and placed the computer in that OU. I then created a new group policy object for that OU and I defined the 'Log on Locally' to have just joe in the list.
I then when to the client machine and ran gpupdate and restarted. I tried logging on with a different user(besides joe, and not an aministrator) and it still let me login.
I looked at the Local Security Policy on the client and it had inherited the correct settings from Active Directory - that is, Log On Locally had Administrators(which I guess is just thrown in by default) and Joe in the list. I could tell that it had inherited because the icon was different and I was not able to update it.
So, even through only Administrators and Joe are in the list, it is still letting others logon. The only way that I have found to keep other users out is to add them to the Deny Log On Locally but I don't want to use that because then I would have to modify that list every time I create a new user.
Also, I do not want to create a group that contains all users except Joe.
|
Answer : Restrict logon with Group Policy
|
|
Odd thing is, I just tried this on a 2k server and it worked fine, on an XP workstation it still allowed Domain Users in...
Anyone know of why XP (and possible 2k workstation) does this while server does not? (not a DC, just a standard server)
Isi
|
|
|
|
|
