You could pull the IIS users out of the Domain Users group, which would effectively prevent them from logging into domain computers; you'd have to set an alternate Primary Group. Automating this (or any solution) would depend on how you provision the IIS users, and how often they change.
-----Original Message----- From: Jonathan Hassell [mailto:[EMAIL PROTECTED] Sent: Friday, December 05, 2003 9:08 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hello, all I am looking for a way to manage user accounts in AD for an IIS server that will allow the users to log into the IIS server, but will not allow them to log in to computers on the domain. The only idea I have is to deny those users in GP (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny logon locally) at the highest level of the domain. This leaves the problem of how to automatically add the users to the denied group. I think it would make more sense if I could deny users in User Configuration, rather than Computer Configuration. I'd like to hear how everyone prevents IIS users from logging in to local machines? I'm also curious how everyone controls which users can log in to each machine (i.e., prevent every Domain User from being able to log in to every Domain Computer). Any comments would be appreciated. Jonathan Hassell List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
