I'm fairly new to group policy management. I'm running Windows Server 2008 R2 with Active Directory setup. I have setup my users, assigned them to the proper groups, which consists of regular users, admins/super admins, and some Local Workstation Admins.
I'm trying to prevent users from physically walking up to the server and logging in with their credentials, just like if it were one of our workstations. I want them to be able to login to any of the workstations in the building with their credentials, but not the server. It seems if I change the GPO to deny logon locally, it also denies them the ability to logon to their workstation, as well as the server.
Is it possible to allow only Super Administrators to logon to the physical server, while still allowing Users to logon to their workstations?
Best Answer
Ensure that the server is in a different OU than the workstations, and apply different GPOs to the server OU versus the workstation OU.