Local sec policy

I have Windows server 2003 joined to a domain (it is not a DC). I am looking to deny "log on locally" to the functional accounts (they are domain accounts)that are members of the local admins group on this server. I denied at the local sec policy level but can still log on as those users. Can this be done at the local sec policy level or does it have to be set at the domain level policy? Thanks.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

domain level

by CG IT In reply to Local sec policy

processing of GP is local, site, domain and then OU.

so even though you changed the local setting, the domain settings apply because the server is at the domain level. Best would be to apply the settings at the servers OU level. That way domain policies will be overridden by OU policies.

Collapse -

Thanks CG

by JMSJ In reply to domain level

That's what I figured. I was hoping to get a workaround but you are correct in stating the best way is to set it at the OU level.

Related Discussions

Related Forums