Disabling Interactive Login

Archived from groups: microsoft.public.win2000.security (More info?)

We've been working on an in-house application that works through an portal.
Users who log-in through this portal use LDAP to authenticate through Active
Directory.

Is is possible to make these logins disabled from being able to
Interactively Login to a desktop machine on the domain..?

If so which method would be the best way..? Using Group Policies or is there
a better option within Active Directory.

Thanks,

Archived from groups: microsoft.public.win2000.security (More info?)

Is it possible to create this sort of a policy and apply it only to a Group
of users rather than to a whole Domain..? My biggest concern is applying a
policy that will lock all users down, this is only required for users in a
specific OU

"Steven L Umbach" wrote:

> You can configure security policy which is a subset of Group Policy to
> modify user rights for logon locally or deny logon locally. For instance
> you could create a global group and add it to the deny logon locally user
> right via Group Policy to all computers in a domain or Organizational Unit.
> Be careful with deny user rights as they override the companion allow user
> right and keep in mind that administrators are members of users,
> authenticated users, and everyone groups. --- Steve
>
>
> "-KK-" <KK@discussions.microsoft.com> wrote in message
> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
> > We've been working on an in-house application that works through an
> > portal.
> > Users who log-in through this portal use LDAP to authenticate through
> > Active
> > Directory.
> >
> > Is is possible to make these logins disabled from being able to
> > Interactively Login to a desktop machine on the domain..?
> >
> > If so which method would be the best way..? Using Group Policies or is
> > there
> > a better option within Active Directory.
> >
> > Thanks,
>
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

Is there a website that discribes how to create this Security Policy within a
Group Policy..? I've created a Group Policy within the OU, but I haven't been
able to find out how to apply the "deny logon locally user right".. Thanks

"Steven L Umbach" wrote:

> Sure. Create the global group you want to deny access to, add the users to
> the group, and then give this group deny logon locally user right to the
> computers you do not want them to logon to interactively which can be done
> via Group Policy at the domain or OU level. --- Steve
>
>
> "-KK-" <KK@discussions.microsoft.com> wrote in message
> news:A0AD3551-4E6E-4896-A361-8A9B78F3507F@microsoft.com...
> > Is it possible to create this sort of a policy and apply it only to a
> > Group
> > of users rather than to a whole Domain..? My biggest concern is applying a
> > policy that will lock all users down, this is only required for users in a
> > specific OU
> >
> > "Steven L Umbach" wrote:
> >
> >> You can configure security policy which is a subset of Group Policy to
> >> modify user rights for logon locally or deny logon locally. For instance
> >> you could create a global group and add it to the deny logon locally user
> >> right via Group Policy to all computers in a domain or Organizational
> >> Unit.
> >> Be careful with deny user rights as they override the companion allow
> >> user
> >> right and keep in mind that administrators are members of users,
> >> authenticated users, and everyone groups. --- Steve
> >>
> >>
> >> "-KK-" <KK@discussions.microsoft.com> wrote in message
> >> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
> >> > We've been working on an in-house application that works through an
> >> > portal.
> >> > Users who log-in through this portal use LDAP to authenticate through
> >> > Active
> >> > Directory.
> >> >
> >> > Is is possible to make these logins disabled from being able to
> >> > Interactively Login to a desktop machine on the domain..?
> >> >
> >> > If so which method would be the best way..? Using Group Policies or is
> >> > there
> >> > a better option within Active Directory.
> >> >
> >> > Thanks,
> >>
> >>
> >>
>
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

Figured the reason it wasn't working was because in the Permission tab of the
Group Policy, Authenticated users didn't have the "Apply Policy" checked.
Used the policy and applied it against a Group and the Policy worked.. Note
for anyone else out there doing the same thing. Also remember to remove them
from having Terminal Services access and your pretty much right.

"Steven L Umbach" wrote:

> Open the Group Policy as an administrator and go to computer
> configuration/Windows settings/security settings/local policies/user rights
> and you can then configure user rights to your needs. --- Steve
>
>
> "-KK-" <KK@discussions.microsoft.com> wrote in message
> news:EA6B8703-0017-4F15-9CC1-8ABFFAE29C3A@microsoft.com...
> > Is there a website that discribes how to create this Security Policy
> > within a
> > Group Policy..? I've created a Group Policy within the OU, but I haven't
> > been
> > able to find out how to apply the "deny logon locally user right".. Thanks
> >
> > "Steven L Umbach" wrote:
> >
> >> Sure. Create the global group you want to deny access to, add the users
> >> to
> >> the group, and then give this group deny logon locally user right to the
> >> computers you do not want them to logon to interactively which can be
> >> done
> >> via Group Policy at the domain or OU level. --- Steve
> >>
> >>
> >> "-KK-" <KK@discussions.microsoft.com> wrote in message
> >> news:A0AD3551-4E6E-4896-A361-8A9B78F3507F@microsoft.com...
> >> > Is it possible to create this sort of a policy and apply it only to a
> >> > Group
> >> > of users rather than to a whole Domain..? My biggest concern is
> >> > applying a
> >> > policy that will lock all users down, this is only required for users
> >> > in a
> >> > specific OU
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> You can configure security policy which is a subset of Group Policy to
> >> >> modify user rights for logon locally or deny logon locally. For
> >> >> instance
> >> >> you could create a global group and add it to the deny logon locally
> >> >> user
> >> >> right via Group Policy to all computers in a domain or Organizational
> >> >> Unit.
> >> >> Be careful with deny user rights as they override the companion allow
> >> >> user
> >> >> right and keep in mind that administrators are members of users,
> >> >> authenticated users, and everyone groups. --- Steve
> >> >>
> >> >>
> >> >> "-KK-" <KK@discussions.microsoft.com> wrote in message
> >> >> news:14787456-9319-4E3E-9E6B-303C970534C7@microsoft.com...
> >> >> > We've been working on an in-house application that works through an
> >> >> > portal.
> >> >> > Users who log-in through this portal use LDAP to authenticate
> >> >> > through
> >> >> > Active
> >> >> > Directory.
> >> >> >
> >> >> > Is is possible to make these logins disabled from being able to
> >> >> > Interactively Login to a desktop machine on the domain..?
> >> >> >
> >> >> > If so which method would be the best way..? Using Group Policies or
> >> >> > is
> >> >> > there
> >> >> > a better option within Active Directory.
> >> >> >
> >> >> > Thanks,
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>