Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel1
minLevel1
include
outlinefalse
indent
exclude
typeflat
printabletrue
class
separatorbrackets

Overview

The AUSTIN-Deny Logon Settings GPO has been implemented at the request of the Information Security Office in order to control the following:

  • EID-based users without a current affiliation (which are members of the Domain Guests group) cannot logon to domain-joined computers by any means

  • Department Service accounts (which are members of the DEPT-Services group) and Service EIDs (which are members of the AUSTIN-EID-Services group) cannot logon to domain-joined computers locally or through remote desktop. Because services accounts generally do not require these rights, this reduces the threat of these accounts being misused.

There may be a scenario where a service account requires the local or remote desktop logon rightrights. The following processes can be used to override the AUSTIN-Deny Logon Settings GPO linked at austin.utexas.edu/Departments.

Short-Term/Quick Override

This short-term fix will revert to the previous behavior (before , when deny rights were only set for Domain Guests).

  1. Link the following GPO to the appropriate OU(s):
    AUSTIN-Deny Logon Settings - Domain Guests Only

  2. Once group policy is updated on the client side, this will revert to denying logins only for Domain Guests. Service accounts will not be denied local or remote desktop logins.

Note

This should only be a short-term override, while you work in on implementing a long-term override.

Long-Term Override

This long-term fix will allow you to specify who should be able to log on locally. By default, the local Users group (which includes the Domain Users group by default) has the necessary right to logon locally - this is why any AD account can log onto any computer joined to the domain unless you take steps to limit this.

You must have completed the Shortshort-Term term override first, which involves linking the following GPO to the appropriate OU(s):
AUSTIN-Deny Logon Settings - Domain Guests Only

To configure who can log on locally

Info

By default, log on locally right is allowed for Administrators, Backup Operators, Power Users, User, and Guest.
The following process will be adjusting the members of the Users group - by default, its members are: Interactive (S-1-5-4), Authenticated Users (S-1-5-11), and Domain Users.

Create a GPO with the following configuration:

  1. Navigate to Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups

  2. Right-click and select New Local Group

  3. Set Action to: Update

  4. Set Group name to the following from the drop-down list: Users (built-in)

  5. Check the Delete all member users box*

  6. Check the Delete all member groups box*

  7. Specify the member(s) that you want added to the group:

    • Under Members, click the Add button

    • Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box

    • When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu

    • Enter the name of a user or group

    • Click the Check Names button to resolve the user or group name

    • Click OK

  8. Click OK

Panel
bgColor#FFFAE6

* Checking the boxes to remove all member users and all member groups will remove any other members from this group.

Setting members of the built-in Users group using Group Policy PreferencesImage Modified

To configure who can log on through Remote Desktop Services

Info

By default, log on through Remote Desktop Services is allowed for Administrators and Remote Desktop users.
The following process will be adjusting the members of the Remote Desktop Users group - by default, it has no members.

Create a GPO with the following configuration:

  1. Navigate to Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups

  2. Right-click and select New Local Group

  3. Set Action to: Update

  4. Set Group name to the following from the drop-down list: Remote Desktop Users (built-in)

  5. Check the Delete all member users box*

  6. Check the Delete all member groups box*

  7. Specify the member(s) that you want added to the group:

    • Under Members, click the Add button

    • Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box

    • When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu

    • Enter the name of a user or group

    • Click the Check Names button to resolve the user or group name

    • Click OK

  8. Click OK

Panel
Setting members of the built-in Remote Desktop Users group using Group Policy PreferencesImage Removed
bgColor
InfoDeny rights have precedence over allow rights. If a user has been both denied and allowed a specific logon right, the deny will be in effect.
#FFFAE6

* Checking the boxes to remove all member users and all member groups will remove any other members from this group.

Setting members of the built-in Remote Desktop Users group using Group Policy PreferencesImage Added