A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Can I “allow logon locally” for ALL local accounts and some domain accounts? was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, active-directory, group-policy, login, user-permissions.
I have used a “Allow logon locally” GPO on a few machines to restrict who can use them. It is annoying that I have to create/link a separate GPO for each set of machines/users (Where is item-level targeting when you need it?), but now I’m running into a more difficult problem…
I need to restrict the AD users that can log in, but also allow ALL local accounts of which I may or may not have knowledge. We have machines created/supported by external vendors who create local accounts for local administration/configuration and/or testing. Those local accounts need to be able to log in, and they are not necessarily in any special, local group.
Is there any way to configure some kind of hybrid between “Allow logon locally” and Group Policy Preferences where I can target specific users/groups to add or remove from local groups without needing to specifically define EXACTLY who is in a group? Basically, I want to layer removing logon for all AD accounts, then allow login to a few, limited AD groups and all while not touching the logon ability of local accounts.
Is this do-able? I’m not opposed to start-up scripts if there is a registry key I can populate dynamically or something.
This is much simpler to achieve than I originally thought: all you need to do is to grant the “Allow log on locally” right to
Local account is a well-known security identifier (S-1-5-113) which is similar to a group, except that membership is implicit based on a rule: in this case, all local accounts are members.
If you also grant “Allow log on locally” to a local group that you create, you can use group policy with item-level targeting to add the domain users that should have logon access to that group.
So I suggest that you set your group policy to allow logon access to:
Authorized domain users
Those local accounts need to be able to log in, and they are not
necessarily in any special, local group.
All local user accounts will always be in at least one of these two local groups:
So adding those two groups to the “Allow Log On Locally” user right will suffice to ensure that all local user accounts can log on locally.