Table of Contents | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Overview
The AUSTIN-Deny Logon Settings GPO has been implemented at the request of the Information Security Office in order to control the following:
EID-based users without a current affiliation (which are members of the Domain Guests group) cannot logon to domain-joined computers by any means
Department Service accounts (which are members of the DEPT-Services group) and Service EIDs (which are members of the AUSTIN-EID-Services group) cannot logon to domain-joined computers locally or through remote desktop. Because services accounts generally do not require these rights, this reduces the threat of these accounts being misused.
There may be a scenario where a service account requires the local or remote desktop logon rightrights. The following processes can be used to override the AUSTIN-Deny Logon Settings GPO linked at austin.utexas.edu/Departments.
Short-Term/Quick Override
This short-term fix will revert to the previous behavior (before , when deny rights were only set for Domain Guests).
Link the following GPO to the appropriate OU(s):
AUSTIN-Deny Logon Settings - Domain Guests OnlyOnce group policy is updated on the client side, this will revert to denying logins only for Domain Guests. Service accounts will not be denied local or remote desktop logins.
Note |
---|
This should only be a short-term override, while you work in implementing a long-term override. |
Long-Term Override
This long-term fix will allow you to specify who should be able to log on locally. By default, the local Users group (which includes the Domain Users group by default) has the necessary right to logon locally.
You must have completed the Shortshort-Term term override first, which involves linking the following GPO to the appropriate OU(s):
AUSTIN-Deny Logon Settings - Domain Guests Only
To configure who can log on locally
Info |
---|
By default, log on locally right is allowed for Administrators, Backup Operators, Power Users, User, and Guest. |
Create a GPO with the following configuration:
Navigate to Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups
Right-click and select New Local Group
Set Action to: Update
Set Group name to the following from the drop-down list: Users (built-in)
Check the Delete all member users box*
Check the Delete all member groups box*
Specify the member(s) that you want added to the group:
Under Members, click the Add button
Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box
When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu
Enter the name of a user or group
Click the Check Names button to resolve the user or group name
Click OK
Click OK
Panel | ||
---|---|---|
| ||
* Checking the boxes to remove all member users and all member groups will remove any other members of this group. |
To configure who can log on through Remote Desktop Services
Info |
---|
By default, log on through Remote Desktop Services is allowed for Administrators and Remote Desktop users. |
Create a GPO with the following configuration:
Navigate to Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups
Right-click and select New Local Group
Set Action to: Update
Set Group name to the following from the drop-down list: Remote Desktop Users (built-in)
Check the Delete all member users box*
Check the Delete all member groups box*
Specify the member(s) that you want added to the group:
Under Members, click the Add button
Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box
When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu
Enter the name of a user or group
Click the Check Names button to resolve the user or group name
Click OK
Click OK
Panel |
---|
|
| |
* Checking the boxes to remove all member users and all member groups will remove any other members of this group. |