How to deny certain groups from logging in on Win7 domain PC
772
I have a Windows 7 Enterprise PC joined to a domain. Without using any domain level security, how can restrict a certain group of users (students) from logging in, but allow another group (staff) to?
I don't know what you mean by that "domain-level security" bit... But the correct way to do it is to put the Win 7 PC into its own OU in Active Directory and apply a Group Policy to that OU. In the Group Policy object editor, head to:
Computer Config -> Windows Settings -> Security Settings -> Local Policy -> User Rights Assignment and find the policy setting called "Deny Log on Locally." Add the Students to this group and they will be prevented from logging into the computer(s) to which the policy applies.
Assuming you at least have AD groups separating the two- students and staff, you can try the following:
Computer Config -> Windows Settings -> Security Settings -> Local Policy -> User Rights Assignment and find the policy setting called "Deny Log on Locally."
Add the NTAUTHORITY\Authenticated Users group if there isn't a Group Policy already taking care of this.
Then, explicitly add the AD staff group to the users group of the machine. (And remove any other groups that provide broad access to members of the AD.)
I don't know what you mean by that "domain-level security" bit... But the correct way to do it is to put the Win 7 PC into its own OU in Active Directory and apply a Group Policy to that OU. In the Group Policy object editor, head to:
Computer Config -> Windows Settings -> Security Settings -> Local Policy -> User Rights Assignment and find the policy setting called "Deny Log on Locally." Add the Students to this group and they will be prevented from logging into the computer(s) to which the policy applies.
(stealing some text from Ben)
Assuming you at least have AD groups separating the two- students and staff, you can try the following:
Computer Config -> Windows Settings -> Security Settings -> Local Policy -> User Rights Assignment and find the policy setting called "Deny Log on Locally."
Add the NTAUTHORITY\Authenticated Users group if there isn't a Group Policy already taking care of this.
Then, explicitly add the AD staff group to the users group of the machine. (And remove any other groups that provide broad access to members of the AD.)