Windows – “Deny Logon Locally” effects

active-directorygroup-policypermissionswindows

I'm planning to harden my AD-based infrastructure. One privilege that I'm planning to limit is the "local logon" privilege.

Now, if I push "Deny Logon Locally" through GPO, besides preventing affected users from logging in on the physical console, what other side effects will happen?

Specifically, I'm interested in whether the denied account be used for:

runas
RDP to console (using /admin switch)
Scheduled Tasks
Running services
psexec

I do plan to experiment, but just in case there are additional, important side effects I need to be aware of that are not listed above, please let me know.

Thank you!

Best Answer

Deny Logon Locally affects both runas, RDP to console and psexec. Whereas it doesnt affect the other two..

If you want to deny the other two also, you need to do it through GPO like deny logon as a service etc..

Related Solutions

Windows – Useful Command-line Commands on Windows

A little known one is

getmac

It shows the MAC address(es) of your network adapter(s).

Screenshot of running getmac from a Windows commandline window.

Windows – What are the effects of a machine account being member of Domain Admins

Services running with the machine account will gain Domain Admin privileges. Users logged into that machine will not inherit such privs. Sometimes this is done if some badly written service that can't run as a user for some reason needs to have access to the entire domain. Also, lazy admins.

As a security flaw it isn't earth-shaking, but it should be resolved. There should be no reason (short of crappy code) for this to be done.

Best Answer

Related Solutions

Windows – Useful Command-line Commands on Windows

Windows – What are the effects of a machine account being member of Domain Admins

Related Topic