Overview

This GPO has been implemented by request of the Information Security Office in order to control the following:

• Users without a current affiliation (which are made members of the Domain Guests group) cannot logon to domain-joined computers at all

• Service accounts (which are made members of the DEPT-Services group) cannot logon to domain-joined computers locally or through remote desktop. Services accounts do not require these rights for the most part, so this reduces the threat of these accounts being misused.

There may be a scenario where a service requires the local/interactive logon right. The following processes can be used to override the GPO linked at austin.utexas.edu/Departments.

Short-Term/Quick Override

This short-term fix will revert to the previous behavior (before 11 Oct 2024 when deny rights were set for DEPT-Services).

1. Link the following GPO to the appropriate OU: XXXXXXXXXXXXXXXXXXXX

2. Once group policy is updated on the client side, this will revert to denying logins only for Domain Guests. Service accounts will not be denied local or remote desktop logins.

Long-Term Override

This long-term fix will allow you to explicitly specify who should be able to log on locally. By default, Domain Users have the necessary right to logon locally.

1. New group? Populate the Users group?

2. Create a GPO with the following configuration: