Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Overview

The AUSTIN-Deny Logon Settings GPO has been implemented at the request of the Information Security Office in order to control the following:

  • EID-based users without a current affiliation (which are members of the Domain Guests group) cannot logon to domain-joined computers by any means

  • Department Service accounts (which are members of the DEPT-Services group) and Service EIDs (which are members of the AUSTIN-EID-Services group) cannot logon to domain-joined computers locally or through remote desktop. Because services accounts generally do not require these rights, this reduces the threat of these accounts being misused.

There may be a scenario where a service account requires the local or remote desktop logon rights. The following processes can be used to override the AUSTIN-Deny Logon Settings GPO linked at austin.utexas.edu/Departments.

Short-Term/Quick Override

This short-term fix will revert to the previous behavior (before , when deny rights were only set for Domain Guests).

  1. Link the following GPO to the appropriate OU(s):
    AUSTIN-Deny Logon Settings - Domain Guests Only

  2. Once group policy is updated on the client side, this will revert to denying logins only for Domain Guests. Service accounts will not be denied local or remote desktop logins.

This should only be a short-term override, while you work in implementing a long-term override.

Long-Term Override

This long-term fix will allow you to specify who should be able to log on locally. By default, the local Users group (which includes the Domain Users group by default) has the necessary right to logon locally.

You must have completed the short-term override first, which involves linking the following GPO to the appropriate OU(s):
AUSTIN-Deny Logon Settings - Domain Guests Only

To configure who can log on locally

By default, log on locally right is allowed for Administrators, Backup Operators, Power Users, User, and Guest.
We will be adjusting the members of the Users group - by default, its members are: Interactive (S-1-5-4), Authenticated Users (S-1-5-11), and Domain Users.

Create a GPO with the following configuration:

  1. Navigate to Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups

  2. Right-click and select New Local Group

  3. Set Action to: Update

  4. Set Group name to the following from the drop-down list: Users (built-in)

  5. Check the Delete all member users box*

  6. Check the Delete all member groups box*

  7. Specify the member(s) that you want added to the group:

    • Under Members, click the Add button

    • Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box

    • When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu

    • Enter the name of a user or group

    • Click the Check Names button to resolve the user or group name

    • Click OK

  8. Click OK

* Checking the boxes to remove all member users and all member groups will remove any other members of this group.

Setting members of the built-in Users group using Group Policy Preferences

To configure who can log on through Remote Desktop Services

By default, log on through Remote Desktop Services is allowed for Administrators and Remote Desktop users.
We will be adjusting the members of the Remote Desktop Users group - by default, it has no members.

Create a GPO with the following configuration:

  1. Navigate to Computer Configuration - Preferences - Control Panel Settings - Local Users and Groups

  2. Right-click and select New Local Group

  3. Set Action to: Update

  4. Set Group name to the following from the drop-down list: Remote Desktop Users (built-in)

  5. Check the Delete all member users box*

  6. Check the Delete all member groups box*

  7. Specify the member(s) that you want added to the group:

    • Under Members, click the Add button

    • Click on the ellipsis button to the right of the Name field to bring up the Select User, Computer, or Group box

    • When adding a domain suer or group, ensure that From this location is set to: austin.utexas.edu

    • Enter the name of a user or group

    • Click the Check Names button to resolve the user or group name

    • Click OK

  8. Click OK

* Checking the boxes to remove all member users and all member groups will remove any other members of this group.

Setting members of the built-in Remote Desktop Users group using Group Policy Preferences

  • No labels