So I am managing this domain where the users are mostly our company staff who are allowed to login to the company computers within our domain. This is actually out-of-the-box supported as all users are by default Domain Users.
But I also have these third-party software providers who requires accounts with admin role on certain servers but need to be generally banned from logging into other domain computers.
Here's what I've tried: say I created an account named John, who is assigned a security group ThirdPartyStaff SG as his primary group. He is then removed from the built-in Domain Users group. Now neither ThirdPartyStaff SG nor John is not a member of any other groups. And then ThirdPartyStaff SG has admin role on a certain server. So John should not be able to access any domain resources, right? But he can still login to any domain computers locally (not remotely because he's neither in admin nor RDP group).
So now I'm worried that apart from local logins, he might have other permissions (like shared folders or remote scheduled task management, etc) that I don't know of.
Now I have to put on a specific rule stating that ThirdPartyStaff SG is denied local login via GPO to stop them being able to login. Although this does the trick but I really want to know:
- the reason behind this behaviour (or what I understood wrong)
- how would you usually take care of third party staff to grant them only the rights you specified and take away everything else – the fool proof way without too many easy-to-forget tweaks
Thank you.
Best Answer
I would use the 'log on to' option of the domain user account to solve this problem http://ravingroo.com/267/active-directory-user-workstation-logon-restriction/