Sign in with
Sign up | Sign in
Your question

Disabling Interactive Login

Last response: in Windows 2000/NT
Share
Anonymous
August 22, 2005 8:29:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

We've been working on an in-house application that works through an portal.
Users who log-in through this portal use LDAP to authenticate through Active
Directory.

Is is possible to make these logins disabled from being able to
Interactively Login to a desktop machine on the domain..?

If so which method would be the best way..? Using Group Policies or is there
a better option within Active Directory.

Thanks,
Anonymous
August 23, 2005 3:34:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You can configure security policy which is a subset of Group Policy to
modify user rights for logon locally or deny logon locally. For instance
you could create a global group and add it to the deny logon locally user
right via Group Policy to all computers in a domain or Organizational Unit.
Be careful with deny user rights as they override the companion allow user
right and keep in mind that administrators are members of users,
authenticated users, and everyone groups. --- Steve


"-KK-" <KK@discussions.microsoft.com> wrote in message
news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
> We've been working on an in-house application that works through an
> portal.
> Users who log-in through this portal use LDAP to authenticate through
> Active
> Directory.
>
> Is is possible to make these logins disabled from being able to
> Interactively Login to a desktop machine on the domain..?
>
> If so which method would be the best way..? Using Group Policies or is
> there
> a better option within Active Directory.
>
> Thanks,
Anonymous
August 23, 2005 9:00:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Is it possible to create this sort of a policy and apply it only to a Group
of users rather than to a whole Domain..? My biggest concern is applying a
policy that will lock all users down, this is only required for users in a
specific OU

"Steven L Umbach" wrote:

> You can configure security policy which is a subset of Group Policy to
> modify user rights for logon locally or deny logon locally. For instance
> you could create a global group and add it to the deny logon locally user
> right via Group Policy to all computers in a domain or Organizational Unit.
> Be careful with deny user rights as they override the companion allow user
> right and keep in mind that administrators are members of users,
> authenticated users, and everyone groups. --- Steve
>
>
> "-KK-" <KK@discussions.microsoft.com> wrote in message
> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
> > We've been working on an in-house application that works through an
> > portal.
> > Users who log-in through this portal use LDAP to authenticate through
> > Active
> > Directory.
> >
> > Is is possible to make these logins disabled from being able to
> > Interactively Login to a desktop machine on the domain..?
> >
> > If so which method would be the best way..? Using Group Policies or is
> > there
> > a better option within Active Directory.
> >
> > Thanks,
>
>
>
Related resources
Anonymous
August 23, 2005 11:53:00 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Sure. Create the global group you want to deny access to, add the users to
the group, and then give this group deny logon locally user right to the
computers you do not want them to logon to interactively which can be done
via Group Policy at the domain or OU level. --- Steve


"-KK-" <KK@discussions.microsoft.com> wrote in message
news:A0AD3551-4E6E-4896-A361-8A9B78F3507F@microsoft.com...
> Is it possible to create this sort of a policy and apply it only to a
> Group
> of users rather than to a whole Domain..? My biggest concern is applying a
> policy that will lock all users down, this is only required for users in a
> specific OU
>
> "Steven L Umbach" wrote:
>
>> You can configure security policy which is a subset of Group Policy to
>> modify user rights for logon locally or deny logon locally. For instance
>> you could create a global group and add it to the deny logon locally user
>> right via Group Policy to all computers in a domain or Organizational
>> Unit.
>> Be careful with deny user rights as they override the companion allow
>> user
>> right and keep in mind that administrators are members of users,
>> authenticated users, and everyone groups. --- Steve
>>
>>
>> "-KK-" <KK@discussions.microsoft.com> wrote in message
>> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
>> > We've been working on an in-house application that works through an
>> > portal.
>> > Users who log-in through this portal use LDAP to authenticate through
>> > Active
>> > Directory.
>> >
>> > Is is possible to make these logins disabled from being able to
>> > Interactively Login to a desktop machine on the domain..?
>> >
>> > If so which method would be the best way..? Using Group Policies or is
>> > there
>> > a better option within Active Directory.
>> >
>> > Thanks,
>>
>>
>>
Anonymous
August 24, 2005 9:25:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Is there a website that discribes how to create this Security Policy within a
Group Policy..? I've created a Group Policy within the OU, but I haven't been
able to find out how to apply the "deny logon locally user right".. Thanks

"Steven L Umbach" wrote:

> Sure. Create the global group you want to deny access to, add the users to
> the group, and then give this group deny logon locally user right to the
> computers you do not want them to logon to interactively which can be done
> via Group Policy at the domain or OU level. --- Steve
>
>
> "-KK-" <KK@discussions.microsoft.com> wrote in message
> news:A0AD3551-4E6E-4896-A361-8A9B78F3507F@microsoft.com...
> > Is it possible to create this sort of a policy and apply it only to a
> > Group
> > of users rather than to a whole Domain..? My biggest concern is applying a
> > policy that will lock all users down, this is only required for users in a
> > specific OU
> >
> > "Steven L Umbach" wrote:
> >
> >> You can configure security policy which is a subset of Group Policy to
> >> modify user rights for logon locally or deny logon locally. For instance
> >> you could create a global group and add it to the deny logon locally user
> >> right via Group Policy to all computers in a domain or Organizational
> >> Unit.
> >> Be careful with deny user rights as they override the companion allow
> >> user
> >> right and keep in mind that administrators are members of users,
> >> authenticated users, and everyone groups. --- Steve
> >>
> >>
> >> "-KK-" <KK@discussions.microsoft.com> wrote in message
> >> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
> >> > We've been working on an in-house application that works through an
> >> > portal.
> >> > Users who log-in through this portal use LDAP to authenticate through
> >> > Active
> >> > Directory.
> >> >
> >> > Is is possible to make these logins disabled from being able to
> >> > Interactively Login to a desktop machine on the domain..?
> >> >
> >> > If so which method would be the best way..? Using Group Policies or is
> >> > there
> >> > a better option within Active Directory.
> >> >
> >> > Thanks,
> >>
> >>
> >>
>
>
>
Anonymous
August 25, 2005 1:35:53 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Open the Group Policy as an administrator and go to computer
configuration/Windows settings/security settings/local policies/user rights
and you can then configure user rights to your needs. --- Steve


"-KK-" <KK@discussions.microsoft.com> wrote in message
news:EA6B8703-0017-4F15-9CC1-8ABFFAE29C3A@microsoft.com...
> Is there a website that discribes how to create this Security Policy
> within a
> Group Policy..? I've created a Group Policy within the OU, but I haven't
> been
> able to find out how to apply the "deny logon locally user right".. Thanks
>
> "Steven L Umbach" wrote:
>
>> Sure. Create the global group you want to deny access to, add the users
>> to
>> the group, and then give this group deny logon locally user right to the
>> computers you do not want them to logon to interactively which can be
>> done
>> via Group Policy at the domain or OU level. --- Steve
>>
>>
>> "-KK-" <KK@discussions.microsoft.com> wrote in message
>> news:A0AD3551-4E6E-4896-A361-8A9B78F3507F@microsoft.com...
>> > Is it possible to create this sort of a policy and apply it only to a
>> > Group
>> > of users rather than to a whole Domain..? My biggest concern is
>> > applying a
>> > policy that will lock all users down, this is only required for users
>> > in a
>> > specific OU
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> You can configure security policy which is a subset of Group Policy to
>> >> modify user rights for logon locally or deny logon locally. For
>> >> instance
>> >> you could create a global group and add it to the deny logon locally
>> >> user
>> >> right via Group Policy to all computers in a domain or Organizational
>> >> Unit.
>> >> Be careful with deny user rights as they override the companion allow
>> >> user
>> >> right and keep in mind that administrators are members of users,
>> >> authenticated users, and everyone groups. --- Steve
>> >>
>> >>
>> >> "-KK-" <KK@discussions.microsoft.com> wrote in message
>> >> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
>> >> > We've been working on an in-house application that works through an
>> >> > portal.
>> >> > Users who log-in through this portal use LDAP to authenticate
>> >> > through
>> >> > Active
>> >> > Directory.
>> >> >
>> >> > Is is possible to make these logins disabled from being able to
>> >> > Interactively Login to a desktop machine on the domain..?
>> >> >
>> >> > If so which method would be the best way..? Using Group Policies or
>> >> > is
>> >> > there
>> >> > a better option within Active Directory.
>> >> >
>> >> > Thanks,
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
August 25, 2005 3:17:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Figured the reason it wasn't working was because in the Permission tab of the
Group Policy, Authenticated users didn't have the "Apply Policy" checked.
Used the policy and applied it against a Group and the Policy worked.. Note
for anyone else out there doing the same thing. Also remember to remove them
from having Terminal Services access and your pretty much right.

"Steven L Umbach" wrote:

> Open the Group Policy as an administrator and go to computer
> configuration/Windows settings/security settings/local policies/user rights
> and you can then configure user rights to your needs. --- Steve
>
>
> "-KK-" <KK@discussions.microsoft.com> wrote in message
> news:EA6B8703-0017-4F15-9CC1-8ABFFAE29C3A@microsoft.com...
> > Is there a website that discribes how to create this Security Policy
> > within a
> > Group Policy..? I've created a Group Policy within the OU, but I haven't
> > been
> > able to find out how to apply the "deny logon locally user right".. Thanks
> >
> > "Steven L Umbach" wrote:
> >
> >> Sure. Create the global group you want to deny access to, add the users
> >> to
> >> the group, and then give this group deny logon locally user right to the
> >> computers you do not want them to logon to interactively which can be
> >> done
> >> via Group Policy at the domain or OU level. --- Steve
> >>
> >>
> >> "-KK-" <KK@discussions.microsoft.com> wrote in message
> >> news:A0AD3551-4E6E-4896-A361-8A9B78F3507F@microsoft.com...
> >> > Is it possible to create this sort of a policy and apply it only to a
> >> > Group
> >> > of users rather than to a whole Domain..? My biggest concern is
> >> > applying a
> >> > policy that will lock all users down, this is only required for users
> >> > in a
> >> > specific OU
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> You can configure security policy which is a subset of Group Policy to
> >> >> modify user rights for logon locally or deny logon locally. For
> >> >> instance
> >> >> you could create a global group and add it to the deny logon locally
> >> >> user
> >> >> right via Group Policy to all computers in a domain or Organizational
> >> >> Unit.
> >> >> Be careful with deny user rights as they override the companion allow
> >> >> user
> >> >> right and keep in mind that administrators are members of users,
> >> >> authenticated users, and everyone groups. --- Steve
> >> >>
> >> >>
> >> >> "-KK-" <KK@discussions.microsoft.com> wrote in message
> >> >> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
> >> >> > We've been working on an in-house application that works through an
> >> >> > portal.
> >> >> > Users who log-in through this portal use LDAP to authenticate
> >> >> > through
> >> >> > Active
> >> >> > Directory.
> >> >> >
> >> >> > Is is possible to make these logins disabled from being able to
> >> >> > Interactively Login to a desktop machine on the domain..?
> >> >> >
> >> >> > If so which method would be the best way..? Using Group Policies or
> >> >> > is
> >> >> > there
> >> >> > a better option within Active Directory.
> >> >> >
> >> >> > Thanks,
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
March 1, 2011 9:22:44 PM

If the Kiosk is added to the domain, you could also just apply the logon to rights under the user account to login to those specific machines. This way when they try to login anywhere else, they won't be able to.

Open AD Users and Computers, bring up the account name, go to Account, and then click on the Log On To button....

Just wanted to add this since it's another viable option that may help someone else looking up this issue
!