Overview
This GPO has been implemented by request of the Information Security Office in order to control the following:
Users without a current affiliation (which are made members of the Domain Guests group) cannot logon to domain-joined computers at all
Service accounts (which are made members of the DEPT-Services group) cannot logon to domain-joined computers locally or through remote desktop. Services accounts do not require these rights for the most part, so this reduces the threat of these accounts being misused.
There may be a scenario where a service requires the local/interactive logon right. The following processes can be used to override the GPO linked at austin.utexas.edu/Departments.
Short-Term/Quick Override
This short-term fix will revert to the previous behavior (before when deny rights were set for DEPT-Services).
Link the following GPO to the appropriate OU: XXXXXXXXXXXXXXXXXXXX
Once group policy is updated on the client side, this will revert to denying logins only for Domain Guests. Service accounts will not be denied local or remote desktop logins.
This should only be a short-term fix, while you work in implementing a long-term fix.
Long-Term Override
New group? Populate the Users group?
Create a GPO with the following configuration:
Setting under Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment | Value |
|---|---|
Allow logon locally | |
Allow logon through Remote Desktop Services | |
Deny access to this computer from the network | AUSTIN\Domain Guests |
Deny log on as a service | AUSTIN\Domain Guests |
Deny log on as a service | AUSTIN\Domain Guests |
Deny log on locally | AUSTIN\Domain Guests |
Deny log on through Remote Desktop Services | AUSTIN\Domain Guests |
Deny rights have precedence over allow rights. If a user has been both denied and allowed a specific logon right, the deny will be in effect.