Yes, but isn't this type of policy applied computer objects only? If this is the case, I would have to apply it to all Domain Computers? And what about trusted computers? -Devon From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Monday, February 11, 2008 11:08 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Prohibit 'Log On To' via GPO? Using the "deny local logon" setting is probably your best option. Create a generic group for your domain named something like "Block Local Logon" and apply it via Group Policy. Then all you have to do from that point forward is nest any groups of users you want to prohibit from logging on inside of that group. If they most definitely will not require the ability to logon at some point in the future, this is the only way I can think of to do it quickly. Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harding, Devon Sent: Monday, February 11, 2008 10:03 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Prohibit 'Log On To' via GPO? That's what I want to do, but I want it based of group membership, so I wouldn't have to do it manually every time. Is this possible? -Devon From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of hans straat Sent: Saturday, February 09, 2008 3:45 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Prohibit 'Log On To' via GPO? Harding, I think you should configure Logonon only to this computer in his account and leave that blanc. Not sure if that would work but that is the quick solution that pops up in my mind. regards, Hans Straat www.datacrash.net ________________________________ Subject: [gptalk] Prohibit 'Log On To' via GPO? Date: Fri, 8 Feb 2008 17:40:38 -0500 From: dharding@xxxxxxxxxxxxxxxx To: gptalk@xxxxxxxxxxxxx; ActiveDir@xxxxxxxxxxxxxxxxxx Is it possible to prohibit a group of users from logging on to any computer in a domain and only have the ability to authenticate? We need this for our VPN consultants. Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 ________________________________ This message is the property of Southern Wine & Spirits or its affiliates. It is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply).