Unflappings

This guide is mainly helpful for when you need to lock down a computer using GPO’s and Active Directory. The situation here is a group of users which need to be locked down to the bare minimum usability features. In addition, the computers in which these users sign on are in highly sensitive areas, requiring only certain user’s access to log in.  For example: You have 10 computers in an area in which you only want certain lucked down accounts access to log in. If an account is compromised that has greater privileges such as a more powerful user, they will not be able to log into the restricted machines.

• Create an Organizational Unit which holds all of the machines that need to be restricted. Mine is named ‘Lockdown Computers’
• Create a GPO and link it to the ‘Lockdown Computers’ OU.  This can be done by right clicking OU in Group Policy Management and selecting “Create and Link a GPO Here….”
• Right click on the newly created GPO and select “Edit…..”
  

  

  

  
  
• Under Computer Configuration, navigate to  Windows Settings –> Security Settings –> Local Policies –>User Rights Assignment
• In the Right Pane, find the policy that says “Allow Log on Locally” and “Allow Log on Through Terminal Services”
• In each Policy, under the “Security Policy Setting” tab, click on Add User or Group.
• The easiest method is to create a user group in Active Directory which contains the users you want to be able to log into the given machine. It usually is best to only select the accounts which will be working on the computer in the future, as well as the limited user log in. In addition, for both the policies, the Administrators group for the Domain Controller must be selected. Be careful which users  you select, you do not want to lock yourself out of a machine completely.
• Close out the Group Policy Editor, and navigate to the GPO which was just edited.
• Right click the GPO, and select “Enable”
• Next, open a command prompt on the server and enter “gpupdate /force”

Share

Save