Deny Log on Locally to some accounts through GPO

Printable View

07-11-2008
Hutchence

Deny Log on Locally to some accounts through GPO

We have several accounts which do not run as service but they are used to enable applications in order to authenticate users or to pull users through AD. Now since past week I noticed some users who are having access to these particular accounts are logging to server with the help of these application accounts.

So obviously I tried restricting them doing this using an OU "Application Accounts" and putting all the application accounts in this OU.I also created a new GPO named "Disable RDP Application Accounts" and modified settings in order to prevent logging using application accounts. In GPO, I did this:

Deny log on locally
Deny log on through Terminal Services

But still the users are able to login to the server using those accounts. Any idea what am I missing or how can we restrict them? For more information, following is the gpresults:

Quote:

C:\Documents and Settings\svc_exch>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/7/2008 at 11:28:05 AM

RSOP results for ROOT\svc_exch on ROOTCLIENT1 : Logging Mode
-------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: ROOT
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\svc_exch
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
CN=ROOTCLIENT1,OU=WPA Computers,DC=root,DC=local
Last time Group Policy was applied: 11/7/2008 at 11:27:25 AM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
WiFi Protected Access
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
ROOTCLIENT1$
Domain Computers

USER SETTINGS
--------------
CN=svc_exch,OU=Application Accounts,DC=root,DC=local
Last time Group Policy was applied: 11/7/2008 at 11:27:28 AM
Group Policy was applied from: rootdc1.root.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL

If you notice under User Settings

" The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable RDP Application Accounts
Filtering: Not Applied (Empty)"
08-11-2008
Stel

Re: Deny Log on Locally to some accounts through GPO

Hello Hutchence, let me tell you that both GP settings you have provided above are only the part of computer configuration and not for the users. Hence you will need to modify the same and link the users to the OU where target computer accounts reside instead of "Application Accounts" users. Let me know if you need any more help.
08-11-2008
Hutchence

Re: Deny Log on Locally to some accounts through GPO

Thank you very much for the help friend. I have set the policy under computer settings but it is till saying:

Quote:

Deny log on locally

This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.

Default: None.

Important:
If you apply this security policy to the Everyone group, no one will be ableto log on locally

Deny log on through Terminal Services

This security setting determines which users and groups are prohibited from logging on as a Terminal Services client.

Default: None.

Important:
This setting does not have any effect on Windows 2000 computers that have
not been updated to Service Pack 2.

Hence unlike you i think the policies are applied for users and not computers. I'm not debating, just putting my guess according to the situation. So if i consider your words as correct and apply these policies to the computers that does not make sense to me.
08-11-2008
Hayworth

Re: Deny Log on Locally to some accounts through GPO

IN order to make GPO effect on the system you will need to specify target user accounts as part of the individual GP settings. I think youi have already done this. Another thing you need to do is link the GPO containing these settings to an OU where the target computer accounts reside. I think is yet to be done and hence you facing the error.