I need to deny 'Domain Users' from logging in.

[Guest Matt]

ok, I have to admit, I'm no expert. But here is what I'm trying to do.

 

I have a 2003 solitary domain. It has a bunch of users. ok, so far so

good. Well I now have new XPe machines to add to this domain. the users of

the XPe machines are a different class of user than the existing users. I

want XPe users to log only into those machines, and the existing Domain Users

to not be able to long into the new machines at all.

 

so here is what i thought would work. i created a new OU. Linked a new GPO

to it. inside the OU i have the new XPe test units active directory computer

and a test user to log into this machine. both the computer and user are

member of a group called Sales Staff. and only that group.

 

outside of the OU, where all the original users exist, i have another test

user who belongs to Domain\Domain Users.

 

 

now the GPO. I've drilled down to Computer Config -> Windows Settings ->

Security Settings -> Local Policies -> User Rights Assignment. here i have

tried to both change the 'Deny Logon Locally' to 'Domain\Domain Users' and

also try setting 'Log On Locally' to 'Domain\Sales Staff'.

 

so far, I'm not getting any result. my test user that is part of Domain

Users can still log in. I know the GPO is getting applied as other changes i

make seem to work just fine.

 

Anyone have any great ideas? thanks so much for your time.

 

Matt

[Guest Meinolf Weber]

Re: I need to deny 'Domain Users' from logging in.

 

Hello Matt,

 

So, for what reason do you add the workstations to the domain? When only

local machine users should logon to them?

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> ok, I have to admit, I'm no expert. But here is what I'm trying to

> do.

>

> I have a 2003 solitary domain. It has a bunch of users. ok, so far

> so good. Well I now have new XPe machines to add to this domain. the

> users of the XPe machines are a different class of user than the

> existing users. I want XPe users to log only into those machines, and

> the existing Domain Users to not be able to long into the new machines

> at all.

>

> so here is what i thought would work. i created a new OU. Linked a

> new GPO to it. inside the OU i have the new XPe test units active

> directory computer and a test user to log into this machine. both the

> computer and user are member of a group called Sales Staff. and only

> that group.

>

> outside of the OU, where all the original users exist, i have another

> test user who belongs to Domain\Domain Users.

>

> now the GPO. I've drilled down to Computer Config -> Windows Settings

> -> Security Settings -> Local Policies -> User Rights Assignment.

> here i have tried to both change the 'Deny Logon Locally' to

> 'Domain\Domain Users' and also try setting 'Log On Locally' to

> 'Domain\Sales Staff'.

>

> so far, I'm not getting any result. my test user that is part of

> Domain Users can still log in. I know the GPO is getting applied as

> other changes i make seem to work just fine.

>

> Anyone have any great ideas? thanks so much for your time.

>

> Matt

>

[Guest Bill Grant]

Re: I need to deny 'Domain Users' from logging in.

 

I have to agree with Meinolf. Why did you try to add them to the domain

in the first place? Why not leave them in a workgroup by themselves? They do

not need to be in the domain just because they are on the same network.

 

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

news:ff16fb6696d0d8ca6eef98042535@msnews.microsoft.com...

> Hello Matt,

>

> So, for what reason do you add the workstations to the domain? When only

> local machine users should logon to them?

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and

> confers no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>

>> ok, I have to admit, I'm no expert. But here is what I'm trying to

>> do.

>>

>> I have a 2003 solitary domain. It has a bunch of users. ok, so far

>> so good. Well I now have new XPe machines to add to this domain. the

>> users of the XPe machines are a different class of user than the

>> existing users. I want XPe users to log only into those machines, and

>> the existing Domain Users to not be able to long into the new machines

>> at all.

>>

>> so here is what i thought would work. i created a new OU. Linked a

>> new GPO to it. inside the OU i have the new XPe test units active

>> directory computer and a test user to log into this machine. both the

>> computer and user are member of a group called Sales Staff. and only

>> that group.

>>

>> outside of the OU, where all the original users exist, i have another

>> test user who belongs to Domain\Domain Users.

>>

>> now the GPO. I've drilled down to Computer Config -> Windows Settings

>> -> Security Settings -> Local Policies -> User Rights Assignment.

>> here i have tried to both change the 'Deny Logon Locally' to

>> 'Domain\Domain Users' and also try setting 'Log On Locally' to

>> 'Domain\Sales Staff'.

>>

>> so far, I'm not getting any result. my test user that is part of

>> Domain Users can still log in. I know the GPO is getting applied as

>> other changes i make seem to work just fine.

>>

>> Anyone have any great ideas? thanks so much for your time.

>>

>> Matt

>>

>

>

[Guest Matt]

Re: I need to deny 'Domain Users' from logging in.

 

I need to have domain authentication for access to applications.

 

any ideas? Thanks again.

 

 

 

"Meinolf Weber" wrote:

> Hello Matt,

>

> So, for what reason do you add the workstations to the domain? When only

> local machine users should logon to them?

>

> Best regards

>

> Meinolf Weber

[Guest Bill Grant]

Re: I need to deny 'Domain Users' from logging in.

 

That is an entirely separate question. You are talking about users having

access to resources. Users do not join domains. Machines join domains.

 

As an example, W98 machines cannot join AD domains. This does not

prevent W98 users from accessing domain resources.

 

Put the machines in a workgroup which has the same name as your domain.

Set up an account in AD for each user with the same username and password as

the local account.

 

When a user does a local login, access to domain resources works because

the credentials offered (ie workgroup/username/password) exactly match a

valid account in AD.

 

"Matt" <Matt@discussions.microsoft.com> wrote in message

news:88D14155-B851-482A-A360-4550347C6D6C@microsoft.com...

>I need to have domain authentication for access to applications.

>

> any ideas? Thanks again.

>

>

>

> "Meinolf Weber" wrote:

>

>> Hello Matt,

>>

>> So, for what reason do you add the workstations to the domain? When only

>> local machine users should logon to them?

>>

>> Best regards

>>

>> Meinolf Weber

[Guest Matt]

Re: I need to deny 'Domain Users' from logging in.

 

hrm, thats kind of interesting. thanks for that explanation. that helps a

lot.

 

 

 

"Bill Grant" wrote:

> That is an entirely separate question. You are talking about users having

> access to resources. Users do not join domains. Machines join domains.

>

> As an example, W98 machines cannot join AD domains. This does not

> prevent W98 users from accessing domain resources.

>

> Put the machines in a workgroup which has the same name as your domain.

> Set up an account in AD for each user with the same username and password as

> the local account.

>

> When a user does a local login, access to domain resources works because

> the credentials offered (ie workgroup/username/password) exactly match a

> valid account in AD.

>