AD FAQs – Group Policy

• How can I deny a user from logging into my workstations and deny them from accessing any of my file shares?
• How can I map a network drive and/or printer share using group policy?
• Why isn’t my group policy being applied?

How can I deny a user from logging into my workstations and deny them from accessing any of my file shares?

Users in the AD domain are dynamically created and deleted based on official data received from Personnel and the Registrar. This data is fed into AD from PH. There maybe certain situations that require you to “lock out” a user from your environment even though the user still has an active account. To do this you can use the deny logon locally and deny access from the network policies.

1. Create a new security group in your OU called TLA-Denied Users.
2. Create a group policy on an OU where you want to enforce the logon restrictions.
3. Navigate to “Computer Configuration-> Windows Settings->Security Settings->Local Policies->User Rights Assignment”. Double click “Deny Log on locally”.
4. In the Deny Log on locally Properties window, check the box “Define these policy settings”
5. Click the “Add User or Group…” button.
   
6. Add the name of the security group you created in step 1. Either use the browse button to select the user/group from the object picker or manually type in the name of the group using AD\groupname for a domain group and groupname for a local group. It is also a good idea to add Guest and ASPNET as these accounts are part of XP and should be blocked.
   
7. When you have finished specifying the list of groups and users, click the “OK” button to save your changes.
8. Follow steps 2-6 on the security right for “Deny Access to this computer from the network”.
9. The restrictions will take effect on the next reboot or during the next group policy refresh. To apply the change immediately you can run gpupdate.exe on XP or 2K3.
10. When ever you want to lockout a user in your environment just add the user to the denied security group. This will effectively deny the user access to any of your resources. It is recommended that this policy be put into place on your top-level OU. This will ensure your complete protection.

[return to top]

Why isn’t my group policy being applied?

The application of group policy is based on machine accounts — not user accounts. To ensure that a GPO (Group Policy Object) you have created is applied to anyone who logs on to a machine in the OU where the GPO is being applied you must turn on loopback policy processing. To enable loopback policy mode, load the GPO and navigate to the group policy folder of the Computer Configuration section. Enable User Group Policy loopback processing mode.

[return to top]