Group Policy Restrict logon

I am trying to setup a group policy to restrict a particular person from logging into a machine in a different OU which is a different department. Both Users are in 2 different OUs I am trying to get a person from my Marketing OU to not be able to login to my HR OU computer. There is supposed to be some warning message that comes up but I am not seeing that error message. Does anyone know how to do this? I have done some research and I can't find anything to have this work.

Find more posts tagged with

Comments

Verities

Stop users logging into certain PC`s -with group policy - Techieshelp.com

[Deleted User]

It still is not working. My user account is still being able to login. What should the error message say when it is successful?

Deathmage

For starters, I may-be stating the obvious but I want to make sure, have you run a 'gpupdate /force' in a elevated command prompt to forcefully apply the GPO? - if you do this and it says it was successful without a failure in the user/computer policy I'd proceed to the next steps below.

What I would do is run the following on the local PC in question that you are trying restrict access and make a folder on the desktop called "Group Policy Results" and copy 'cmd' into the folder. Then open up 'cmd' and type the following command 'gpresult /h GPresults.txt' and press then press enter. I make this folder just so it's easier to find the txt file, if you do it with a normal command prompt the txt file would be found in the system32 folder inside of Windows.

The results of the group policy information for the PC will populate into the text file.

Additionally, if you want to see if the policy is applying I used Group Policy Modelling inside of GPM all the time and it helps to see if the GPO your attempting to apply does in-fact apply to the computer in question in a hypothetical sense. It's very helpful to test to see if it would apply once it's finished and need to be applied.

I got a feeling you might have the default domain policy conflict taking precedence over the GPO you've created since the default domain policy controls user permissions by default, the modelling tool will tell you this...

Lastly if your setting don't work just re-create it altogether by following these steps and engineer it to your needs; make sure that there is a OU in Active Directory that is called say "Restricted Desktops" and move the PC in question into that OU. Then make a Global Security group for the users you want to 'Allow log on locally' and called the group something like 'Allowed users on Client-Computer-X' then add the users you want to connect to the PC to this group.

Then make a GPO inside of the Restricted Desktop OU called something like I dunno " Allowed access for computer-X" and navigate to computer config > Policies > Windows Settings > Security Settings > Local Policies > User Rights > and find the field 'Allow log on locally' and add the Security group to this field and the administrators group, domain administrators and press apply. Once this is done make sure the Security filtering of the GPO is set to the Security Group you made. (NOTE: in some instances this may need to be authenticated users in the Security filtering) - if your trying to keep the GPO count low, you could add this to a top-level GPO already made, but again this is personal preference.

Once this is done GPM Modelling should successfully apply the GPO to the PC in question, if you still have a problem on the client you may need to remove the client from the domain by adding it to a 'workgroup', rebooting, and rejoining the network. If you want to get really **** blow away the local profile and delete the SID in the profilelist section in the local machine hive @ "local_machine\software\microsoft\windows NT\current version\profilelist" of the users in question and then re-log into the network and re-create the profiles. Note if this is needed, make sure you move the 'Users' folder to a the root of C called 'Users.old' so you don't lose users data.

Now just to note, you can cater this to a deny or allow, I just used allow since both work in the same manner but allow to me is more defined. It's really just personal preference, the concept can be reversed engineering either way.

Post your results here if you need help and I'm sure someone here can provide feedback.

devils_haircut

I use the "Deny Logon Locally" policy in my school district to prevent high school or middle school students from using our generic login account that we have for the elementary students. I just created the GPO with the "Deny Logon Locally" setting, applied it to the relevant OU, and waited for the group policy settings to update (or used gpupdate /force on my test machine).

If it's working correctly, the user should see an error message at the login screen (can't remember exactly what it says).

[Deleted User]

That is the problem though. All my other policies have been applied successfully but this one won't. I will try re-binding it from the domain and back on again. Nope nothing happened. Damn I went through a lot of these options with my system administrator at my university and he is not sure as to what the problem is with this either.

devils_haircut

What deathmage said about the default domain policy overriding it might be the case. I had issues at first when I attempted to apply this policy in my school district, and it turned out there was already the "Deny Logon Locally" policy applied through the Default Domain Policy, which was causing problems with the separate policy that I had created to apply the same setting.

I'm not really a GPO master, so hopefully someone else can chime in. I'm more of a networking/Linux guy.

JBrown

kMastaFlash wrote: »

That is the problem though. All my other policies have been applied successfully but this one won't. I will try re-binding it from the domain and back on again. Nope nothing happened. Damn I went through a lot of these options with my system administrator at my university and he is not sure as to what the problem is with this either.

"gpresult /H GP.html" <-- will show the policies being applied/visible or not applied
pull the results via "gpresult /z | more" and see which setting / GP overwrites it. do it as an admin, AND then as a target user.

Btw, are you creating a user or computer policy ? because devils_haircut suggestion must have definitely worked.
PM me if anything, we will go over the settings.