Guest Matt Posted April 17, 2008 Posted April 17, 2008 ok, I have to admit, I'm no expert. But here is what I'm trying to do. I have a 2003 solitary domain. It has a bunch of users. ok, so far so good. Well I now have new XPe machines to add to this domain. the users of the XPe machines are a different class of user than the existing users. I want XPe users to log only into those machines, and the existing Domain Users to not be able to long into the new machines at all. so here is what i thought would work. i created a new OU. Linked a new GPO to it. inside the OU i have the new XPe test units active directory computer and a test user to log into this machine. both the computer and user are member of a group called Sales Staff. and only that group. outside of the OU, where all the original users exist, i have another test user who belongs to Domain\Domain Users. now the GPO. I've drilled down to Computer Config -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. here i have tried to both change the 'Deny Logon Locally' to 'Domain\Domain Users' and also try setting 'Log On Locally' to 'Domain\Sales Staff'. so far, I'm not getting any result. my test user that is part of Domain Users can still log in. I know the GPO is getting applied as other changes i make seem to work just fine. Anyone have any great ideas? thanks so much for your time. Matt
Guest Meinolf Weber Posted April 17, 2008 Posted April 17, 2008 Re: I need to deny 'Domain Users' from logging in. Hello Matt, So, for what reason do you add the workstations to the domain? When only local machine users should logon to them? Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > ok, I have to admit, I'm no expert. But here is what I'm trying to > do. > > I have a 2003 solitary domain. It has a bunch of users. ok, so far > so good. Well I now have new XPe machines to add to this domain. the > users of the XPe machines are a different class of user than the > existing users. I want XPe users to log only into those machines, and > the existing Domain Users to not be able to long into the new machines > at all. > > so here is what i thought would work. i created a new OU. Linked a > new GPO to it. inside the OU i have the new XPe test units active > directory computer and a test user to log into this machine. both the > computer and user are member of a group called Sales Staff. and only > that group. > > outside of the OU, where all the original users exist, i have another > test user who belongs to Domain\Domain Users. > > now the GPO. I've drilled down to Computer Config -> Windows Settings > -> Security Settings -> Local Policies -> User Rights Assignment. > here i have tried to both change the 'Deny Logon Locally' to > 'Domain\Domain Users' and also try setting 'Log On Locally' to > 'Domain\Sales Staff'. > > so far, I'm not getting any result. my test user that is part of > Domain Users can still log in. I know the GPO is getting applied as > other changes i make seem to work just fine. > > Anyone have any great ideas? thanks so much for your time. > > Matt >
Guest Bill Grant Posted April 17, 2008 Posted April 17, 2008 Re: I need to deny 'Domain Users' from logging in. I have to agree with Meinolf. Why did you try to add them to the domain in the first place? Why not leave them in a workgroup by themselves? They do not need to be in the domain just because they are on the same network. "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message news:ff16fb6696d0d8ca6eef98042535@msnews.microsoft.com... > Hello Matt, > > So, for what reason do you add the workstations to the domain? When only > local machine users should logon to them? > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> ok, I have to admit, I'm no expert. But here is what I'm trying to >> do. >> >> I have a 2003 solitary domain. It has a bunch of users. ok, so far >> so good. Well I now have new XPe machines to add to this domain. the >> users of the XPe machines are a different class of user than the >> existing users. I want XPe users to log only into those machines, and >> the existing Domain Users to not be able to long into the new machines >> at all. >> >> so here is what i thought would work. i created a new OU. Linked a >> new GPO to it. inside the OU i have the new XPe test units active >> directory computer and a test user to log into this machine. both the >> computer and user are member of a group called Sales Staff. and only >> that group. >> >> outside of the OU, where all the original users exist, i have another >> test user who belongs to Domain\Domain Users. >> >> now the GPO. I've drilled down to Computer Config -> Windows Settings >> -> Security Settings -> Local Policies -> User Rights Assignment. >> here i have tried to both change the 'Deny Logon Locally' to >> 'Domain\Domain Users' and also try setting 'Log On Locally' to >> 'Domain\Sales Staff'. >> >> so far, I'm not getting any result. my test user that is part of >> Domain Users can still log in. I know the GPO is getting applied as >> other changes i make seem to work just fine. >> >> Anyone have any great ideas? thanks so much for your time. >> >> Matt >> > >
Guest Matt Posted April 21, 2008 Posted April 21, 2008 Re: I need to deny 'Domain Users' from logging in. I need to have domain authentication for access to applications. any ideas? Thanks again. "Meinolf Weber" wrote: > Hello Matt, > > So, for what reason do you add the workstations to the domain? When only > local machine users should logon to them? > > Best regards > > Meinolf Weber
Guest Bill Grant Posted April 21, 2008 Posted April 21, 2008 Re: I need to deny 'Domain Users' from logging in. That is an entirely separate question. You are talking about users having access to resources. Users do not join domains. Machines join domains. As an example, W98 machines cannot join AD domains. This does not prevent W98 users from accessing domain resources. Put the machines in a workgroup which has the same name as your domain. Set up an account in AD for each user with the same username and password as the local account. When a user does a local login, access to domain resources works because the credentials offered (ie workgroup/username/password) exactly match a valid account in AD. "Matt" <Matt@discussions.microsoft.com> wrote in message news:88D14155-B851-482A-A360-4550347C6D6C@microsoft.com... >I need to have domain authentication for access to applications. > > any ideas? Thanks again. > > > > "Meinolf Weber" wrote: > >> Hello Matt, >> >> So, for what reason do you add the workstations to the domain? When only >> local machine users should logon to them? >> >> Best regards >> >> Meinolf Weber
Guest Matt Posted April 22, 2008 Posted April 22, 2008 Re: I need to deny 'Domain Users' from logging in. hrm, thats kind of interesting. thanks for that explanation. that helps a lot. "Bill Grant" wrote: > That is an entirely separate question. You are talking about users having > access to resources. Users do not join domains. Machines join domains. > > As an example, W98 machines cannot join AD domains. This does not > prevent W98 users from accessing domain resources. > > Put the machines in a workgroup which has the same name as your domain. > Set up an account in AD for each user with the same username and password as > the local account. > > When a user does a local login, access to domain resources works because > the credentials offered (ie workgroup/username/password) exactly match a > valid account in AD. >
Recommended Posts