Default Domain Policy vs Deny GPO
We need to restrict a certain security group accessing a particular Windows server either through network, local logon, terminal services.
We created a GPO and assigned that security group and applied to that particular server, when we ran RSOP from the server , it is found that the security group is denied access as expected for deny logon through network, remote desktop services, logon as a service but deny logon locally is not updated with the security group which has to be present in that setting but it has another one security group.
When we investigated, this deny logon locally is pushed to the server from default domain policy which has that group only , not the security group what we are trying to restrict access to this server.
How to achieve this ?