Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel1
minLevel1
include
outlinefalse
indent
exclude
typeflat
printabletrue
class
separatorbrackets

Overview

...

The AUSTIN-Deny Logon Settings GPO has been implemented

...

at the request of the Information Security Office in order to control the following:

...

  • EID-based users without a current affiliation (which are

...

  • members of the Domain Guests group) cannot logon to domain-joined computers

...

  • by any means

  • Department Service accounts (which are

...

  • members of the DEPT-Services group) cannot logon to domain-joined computers locally or through remote desktop.

...

  • Because services accounts generally do not require these rights

...

  • ,

...

  • this reduces the threat of these accounts being misused.

There may be a scenario where a service account requires the local

...

or remote desktop logon rights. The following processes can be used to override the AUSTIN-Deny Logon Settings GPO linked at austin.utexas.edu/Departments.

Short-Term/Quick Override

This short-term fix will revert to the previous behavior (before , when deny rights were only set for

...

Domain Guests).

  1. Link the following GPO to the appropriate OU

...

  1. (s):
    AUSTIN-Deny Logon Settings - Domain Guests Only

  2. Once group policy is updated on the client side, this will revert to denying logins only for Domain Guests. Service accounts will not be denied local or remote desktop logins.

Note

This should only be a short-term override, while you work

...

on implementing a long-term override.

Long-Term Override

Use one of the three overrides with a GPO to also populate Users group (probably) or specify allow logon locally with a dept group (once Alex decides how he wants to proceed)

This long-term fix will allow you to

...

specify who should be able to log on locally. By default, the local Users group (which includes the Domain Users

...

group by default) has the necessary right to logon locally - this is why any AD account can log onto any computer joined to the domain unless you take steps to limit this.

...

You must have completed the short-term override first, which involves linking the following GPO to the appropriate OU(s):
AUSTIN-Deny Logon Settings - Domain Guests Only

To configure who can log on locally

Info

By default, log on locally right is allowed for Administrators, Backup Operators, Power Users, User, and Guest.
The following process will be adjusting the members of the Users group - by default, its members are: Interactive (S-1-5-4), Authenticated Users (S-1-5-11), and Domain Users.

Create a GPO with the following configuration:

...

  1. Navigate to Computer Configuration -

...

  1. Preferences -

...

  1. Control Panel Settings -

...

Value

...

Allow logon locally

...

Allow logon through Remote Desktop Services

...

Deny access to this computer from the network

...

AUSTIN\Domain Guests

...

Deny log on as a service

...

AUSTIN\Domain Guests

...

Deny log on as a service

...

AUSTIN\Domain Guests

...

Deny log on locally

...

AUSTIN\Domain Guests

...

Deny log on through Remote Desktop Services

...

AUSTIN\Domain Guests

...

  1. Local Users and Groups

  2. Right-click and select New Local Group

  3. Set Action to: Update

  4. Set Group name to the following from the drop-down list: Users (built-in)

  5. Check the Delete all member users box*

  6. Check the Delete all member groups box*

  7. Specify the member(s) that you want added to the group:

    • Under Members, click the Add button

    • Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box

    • When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu

    • Enter the name of a user or group

    • Click the Check Names button to resolve the user or group name

    • Click OK

  8. Click OK

Panel
bgColor#FFFAE6

* Checking the boxes to remove all member users and all member groups will remove any other members from this group.

Setting members of the built-in Users group using Group Policy PreferencesImage Added

To configure who can log on through Remote Desktop Services

Info

By default, log on through Remote Desktop Services is allowed for Administrators and Remote Desktop users.
The following process will be adjusting the members of the Remote Desktop Users group - by default, it has no members.

Create a GPO with the following configuration:

  1. Navigate to Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups

  2. Right-click and select New Local Group

  3. Set Action to: Update

  4. Set Group name to the following from the drop-down list: Remote Desktop Users (built-in)

  5. Check the Delete all member users box*

  6. Check the Delete all member groups box*

  7. Specify the member(s) that you want added to the group:

    • Under Members, click the Add button

    • Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box

    • When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu

    • Enter the name of a user or group

    • Click the Check Names button to resolve the user or group name

    • Click OK

  8. Click OK

Panel
bgColor#FFFAE6

* Checking the boxes to remove all member users and all member groups will remove any other members from this group.

Setting members of the built-in Remote Desktop Users group using Group Policy PreferencesImage Added