[gptalk] Re: Prohibit 'Log On To' via GPO?

  • From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 11 Feb 2008 15:39:25 -0600

Well, you would look at "Deny access to this computer from the network"
but that would block more than just RPC. I could be wrong, but I don't
think you can limit RPC access based on group membership.

 

What, if anything, will these VPN-based consultants be accessing?

 

Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Harding, Devon
Sent: Monday, February 11, 2008 3:16 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Prohibit 'Log On To' via GPO?

 

Gotcha!  And if I want to deny RPC access, what would I set?

 

-Devon 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: Monday, February 11, 2008 11:40 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Prohibit 'Log On To' via GPO?

 

Yes it is. You're telling each computer what account(s) it should not
allow to logon locally. You would want to apply it to the entire domain
unless there are going to be a few computers where those users are
allowed to logon.

 

If the latter is the case, you might want to just look at configuring
each user account so that they can only logon to certain machines.  Or
you could also put "trusted" computers in  separate OU where you reverse
the policy so that they can logon.

 

Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Harding, Devon
Sent: Monday, February 11, 2008 10:15 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Prohibit 'Log On To' via GPO?

 

Yes, but isn't this type of policy applied computer objects only?  If
this is the case, I would have to apply it to all Domain Computers?  And
what about trusted computers?

 

-Devon 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: Monday, February 11, 2008 11:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Prohibit 'Log On To' via GPO?

 

Using the "deny local logon" setting is probably your best option.
Create a generic group for your domain named something like "Block Local
Logon" and apply it via Group Policy.

 

Then all you have to do from that point forward is nest any groups of
users you want to prohibit from logging on inside of that group. If they
most definitely will not require the ability to logon at some point in
the future, this is the only way I can think of to do it quickly.

 

Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Harding, Devon
Sent: Monday, February 11, 2008 10:03 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Prohibit 'Log On To' via GPO?

 

That's what I want to do, but I want  it based of group membership, so I
wouldn't have to do it manually every time.  Is this possible?

 

-Devon 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of hans straat
Sent: Saturday, February 09, 2008 3:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Prohibit 'Log On To' via GPO?

 

Harding,
 
I think you should configure Logonon only to this computer in his
account and leave that blanc. Not sure if that would work but that is
the quick solution that pops up in my mind.
 
regards,
Hans Straat
www.datacrash.net




 

________________________________

Subject: [gptalk] Prohibit 'Log On To' via GPO?
Date: Fri, 8 Feb 2008 17:40:38 -0500
From: dharding@xxxxxxxxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx; ActiveDir@xxxxxxxxxxxxxxxxxx

Is it possible to prohibit a group of users from logging on to any
computer in a domain and only have the ability to authenticate?  We need
this for our VPN consultants.

 

Devon Harding

Windows Systems Engineer

Southern Wine & Spirits - BSG

954-602-2469

 

 

________________________________

This message is the property of Southern Wine & Spirits or its
affiliates. It is intended only for the use of the individual or entity
to which it is addressed and may contain information that is non-public,
proprietary, privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product. If you are
not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is
strictly prohibited. If you have received this communication in error,
notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an
electronic communication. 
Thank you. 

________________________________

This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply).

 

________________________________

This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply). 

________________________________

This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply).

 

________________________________

This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply). 

**********************************************************************
This e-mail may contain identifiable health information that is subject to 
protection under state and federal law. This information is intended to be for 
the use of the individual named above. If you are not the intended recipient, 
be aware that any disclosure, copying, distribution or use of the contents of 
this information is prohibited and may be punishable by law. If you have 
received this electronic transmission in error, please notify us immediately by 
electronic mail (reply).


This e-mail may contain identifiable health information that is subject to 
protection under state and federal law. This information is intended to be for 
the use of the individual named above. If you are not the intended recipient, 
be aware that any disclosure, copying, distribution or use of the contents of 
this information is prohibited and may be punishable by law. If you have 
received this electronic transmission in error, please notify us immediately by 
electronic mail (reply).

Other related posts: