Wanted to hear some of your thoughts on this: Going to have a subset of users in our AD environment that don't need to logon locally (they access web based portals and applications, Office 365, some other SaaS apps). The risk compliance group is worried about how we ensure these guys cant' log on to a domain joined machine. I know how to do this with a GPO, have it running in a lab environment. And we have it for service accounts, but those GPO's are directed at specific OU structures with servers in them. My problem with doing (deny logon locally, deny logon through Terminal Services) this approach is that I need to do it at the domain level since our OU structure is fairly complex and workstation computer objects are all over the place. My fear is that at some point down the road someone will accidentally put domain users into this group, or some other large group and nobody will be able to logon. I plan on mitigating this with a WMI filter that will only apply this to Workstations machines, not servers.
Option # 2 is to modify the Logon To... attribute of each of these users to a computer name that will never exist (i.e. NULL-Machine). I like this approach but the maintenance will be significantly higher than the GPO approach. Wondering if anyone else out there has had to go through this. Thanks Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com<mailto:> [cid:image003.png@01CFC2D8.13A35730] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.