I have a small group of desktop servers and I do not want anyone to be able to log on to them locally except for administrators.
We have a Windows 2003 AD and the servers are running Windows 7 Pro.
I know that I can:
Create an OU in AD with said computers, and assign a Group Policy to that OU. Then, in the Group Policy Editor, go to: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally and delete all groups/users except for Domain Administrators, Remote Users, and Administrators?
Is it better to do this this through Group Policy, or configure this on each machine?
Best Answer
The way that you mentioned is the best way to do this.
You can configure this on each individual computer, but there's no benefit. Doing it via GPO is much more scalable.