3

I have used a "Allow logon locally" GPO on a few machines to restrict who can use them. It is annoying that I have to create/link a separate GPO for each set of machines/users (Where is item-level targeting when you need it?), but now I'm running into a more difficult problem...

I need to restrict the AD users that can log in, but also allow ALL local accounts of which I may or may not have knowledge. We have machines created/supported by external vendors who create local accounts for local administration/configuration and/or testing. Those local accounts need to be able to log in, and they are not necessarily in any special, local group.

Is there any way to configure some kind of hybrid between "Allow logon locally" and Group Policy Preferences where I can target specific users/groups to add or remove from local groups without needing to specifically define EXACTLY who is in a group? Basically, I want to layer removing logon for all AD accounts, then allow login to a few, limited AD groups and all while not touching the logon ability of local accounts.

Is this do-able? I'm not opposed to start-up scripts if there is a registry key I can populate dynamically or something.

Thanks.

Teknowledgist
  • 173
  • 1
  • 5

2 Answers2

3

This is much simpler to achieve than I originally thought: all you need to do is to grant the "Allow log on locally" right to Local account.

Local account is a well-known security identifier (S-1-5-113) which is similar to a group, except that membership is implicit based on a rule: in this case, all local accounts are members.

If you also grant "Allow log on locally" to a local group that you create, you can use group policy with item-level targeting to add the domain users that should have logon access to that group.

So I suggest that you set your group policy to allow logon access to:

  • Administrators
  • Local account
  • Authorized domain users
Harry Johnston
  • 5,875
  • 4
  • 35
  • 52
  • 1
    I just want to point out to others that stumble on this that establishing a local, generic `authorized domain users`, and populating it via GPP with item level targeting allows me to consolidate into one, single GPO all the GPOs that previously restricted logons to a specific AD group (for each computer). Really an elegant solution, @HarryJohnston ! – Teknowledgist Jul 27 '18 at 13:29
1

Those local accounts need to be able to log in, and they are not necessarily in any special, local group.

All local user accounts will always be in at least one of these two local groups:

  1. Administrators

  2. Users

So adding those two groups to the "Allow Log On Locally" user right will suffice to ensure that all local user accounts can log on locally.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Or "3. Guests"? – SamErde Jul 26 '18 at 05:09
  • 1
    This answer seems incomplete; if the Users group has the local logon right, won't that (by default) mean that all domain accounts will also have that right? – Harry Johnston Jul 26 '18 at 06:22
  • Of course local user accounts will be in a local group. The issue here is that there is no local group that contains ONLY (and all) local user accounts, so I have no easy way to allow local users as well as a select set of domain users. – Teknowledgist Jul 26 '18 at 13:07
  • OK. I misunderstood your question. – joeqwerty Jul 26 '18 at 14:12