Overriding the AUSTIN-Deny Logon Settings GPO

Overview

The AUSTIN-Deny Logon Settings GPO has been implemented at the request of the Information Security Office in order to control the following:

  • EID-based users without a current affiliation (which are members of the Domain Guests group) cannot logon to domain-joined computers by any means

  • Department Service accounts (which are members of the DEPT-Services group) cannot logon to domain-joined computers locally or through remote desktop. Because services accounts generally do not require these rights, this reduces the threat of these accounts being misused.

 

There may be a scenario where a service account requires the local or remote desktop logon rights. The following processes can be used to override the AUSTIN-Deny Logon Settings GPO linked at austin.utexas.edu/Departments.

 

Short-Term/Quick Override

This short-term fix will revert to the previous behavior (before Oct 11, 2024, when deny rights were only set for Domain Guests).

  1. Link the following GPO to the appropriate OU(s):
    AUSTIN-Deny Logon Settings - Domain Guests Only

  2. Once group policy is updated on the client side, this will revert to denying logins only for Domain Guests. Service accounts will not be denied local or remote desktop logins.

This should only be a short-term override, while you work on implementing a long-term override.

Long-Term Override

This long-term fix will allow you to specify who should be able to log on locally. By default, the local Users group (which includes the Domain Users group by default) has the necessary right to logon locally - this is why any AD account can log onto any computer joined to the domain unless you take steps to limit this.

You must have completed the short-term override first, which involves linking the following GPO to the appropriate OU(s):
AUSTIN-Deny Logon Settings - Domain Guests Only

To configure who can log on locally

By default, log on locally right is allowed for Administrators, Backup Operators, Power Users, User, and Guest.
The following process will be adjusting the members of the Users group - by default, its members are: Interactive (S-1-5-4), Authenticated Users (S-1-5-11), and Domain Users.

Create a GPO with the following configuration:

  1. Navigate to Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups

  2. Right-click and select New Local Group

  3. Set Action to: Update

  4. Set Group name to the following from the drop-down list: Users (built-in)

  5. Check the Delete all member users box*

  6. Check the Delete all member groups box*

  7. Specify the member(s) that you want added to the group:

    • Under Members, click the Add button

    • Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box

    • When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu

    • Enter the name of a user or group

    • Click the Check Names button to resolve the user or group name

    • Click OK

  8. Click OK

* Checking the boxes to remove all member users and all member groups will remove any other members from this group.

Setting members of the built-in Users group using Group Policy Preferences

 

 

To configure who can log on through Remote Desktop Services

Create a GPO with the following configuration:

  1. Navigate to Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups

  2. Right-click and select New Local Group

  3. Set Action to: Update

  4. Set Group name to the following from the drop-down list: Remote Desktop Users (built-in)

  5. Check the Delete all member users box*

  6. Check the Delete all member groups box*

  7. Specify the member(s) that you want added to the group:

    • Under Members, click the Add button

    • Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box

    • When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu

    • Enter the name of a user or group

    • Click the Check Names button to resolve the user or group name

    • Click OK

  8. Click OK

Setting members of the built-in Remote Desktop Users group using Group Policy Preferences

 

 

 

 

Â