Disallow users logging onto a server localy via GPO

Published on 04/15/2012 by Wouter Makkinje

Filed under Group Policy

Last modified 02/22/2015

Print this page

rate 1 star rate 2 star rate 3 star rate 4 star rate 5 star
Your rating: none, Average: 0 (0 votes)

This article have been viewed 925 times

Scenario:

You have a Microsoft Windows Server 2008 R2 Server that is unfortunately located in an area open to users.

 


Problem:

Some of these users feel they can and will log into the server to check things. You obviously want to secure the server and disallow local logins.

 


Solution:

An important warning before you apply this policy. If the policy is applied to the Everyone group NO ONE will be able to log in.

On the Domain Controller server open the GPMC by going to Start > Administrative Tools > Group Policy Management.

  1. On the left hand side select the OU that your server(s) is/are in.
  2. Right click on it and select: Create a GPO in this domain and link it here.
  3. Name the GPO something explanatory such as “Disable local login”.
  4. On the left hand side browse to: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
  5. Select the policy Deny Log on locally.
  6. Click the check box “Define this policy”.
  7. Go ahead and add the groups you want to deny log on to. In most cases it’ll be the Domain Users group.