Hello,

I have a very simple question:
"How can I prevent that certain domain users can locally log in on a
specific computer that is part of the domain? "

The specific pc (Win2000Pro) is on a Windows2000 domain.

What domain-policies should be changed and how can this policy be
applied to the specific computer account ?

Thnx,

Gaëtan Martens

How about a local security policy on that PC, preventing xyz group from logging on locally??

Firmbyte wrote:
> How about a local security policy on that PC, preventing xyz group from logging on locally??
I already tried it but it doesn't work since domain policies override
the local policies.

Then you would need to put that computer in it's own OU - possibly a child OU of
where it is now and then create a new GPO for that OU and configure the logon locally
user right at that OU to meet your needs. --- Steve

"GM" wrote in message news:c4u8u4$4db$1@gaudi2.UGent.be...
> Firmbyte wrote:
> > How about a local security policy on that PC, preventing xyz group from logging
on locally??
> I already tried it but it doesn't work since domain policies override
> the local policies.

My computer is now in a map (child of the domain root) called
"Computers" in Active Directory. So I created a new OU which is also a
child of the domain root in Active Directory (it is not possible to
create an OU that is a child of the map "Computers") and made my PC a
member of this OU (I had to remove it first from "Computers" )
I created a new Group Policy with the log on locally policy specifically
set for my account (and Administrators)

But when I attempt to log in, I get an error message: "the system cannot
log you on to this domain because the system's computer account in its
primary domain is missing or the password on that account is incorrect"
(I'm sure the password is correct)

So I have to Add my computer again to "Computers" and remove it from my
newly created OU so I am back to zero.

What did I do wrong ?

Steven L Umbach wrote:
> Then you would need to put that computer in it's own OU - possibly a child OU of
> where it is now and then create a new GPO for that OU and configure the logon locally
> user right at that OU to meet your needs. --- Steve
>
> "GM" wrote in message news:c4u8u4$4db$1@gaudi2.UGent.be...
>
>>Firmbyte wrote:
>>
>>>How about a local security policy on that PC, preventing xyz group from logging
>
> on locally??
>
>>I already tried it but it doesn't work since domain policies override
>>the local policies.
>
>
>

The OU has to be created in the same domain that your computer account exists in -
apparently the child domain. There error you mention indicates a problem with your
domain computer account and should have nothing to do with moving your computer into
a different OU in the same domain. OU's are simply boundaries for managing
policy/delegation and organizing user/computers. You may need to unjoin and rejoin
your computer to the domain to fix your computer account. --- Steve


"GM" wrote in message news:c50i7k$rh9$1@gaudi2.UGent.be...
> My computer is now in a map (child of the domain root) called
> "Computers" in Active Directory. So I created a new OU which is also a
> child of the domain root in Active Directory (it is not possible to
> create an OU that is a child of the map "Computers") and made my PC a
> member of this OU (I had to remove it first from "Computers" )
> I created a new Group Policy with the log on locally policy specifically
> set for my account (and Administrators)
>
> But when I attempt to log in, I get an error message: "the system cannot
> log you on to this domain because the system's computer account in its
> primary domain is missing or the password on that account is incorrect"
> (I'm sure the password is correct)
>
> So I have to Add my computer again to "Computers" and remove it from my
> newly created OU so I am back to zero.
>
> What did I do wrong ?
>
> Steven L Umbach wrote:
> > Then you would need to put that computer in it's own OU - possibly a child OU of
> > where it is now and then create a new GPO for that OU and configure the logon
locally
> > user right at that OU to meet your needs. --- Steve
> >
> > "GM" wrote in message news:c4u8u4$4db$1@gaudi2.UGent.be...
> >
> >>Firmbyte wrote:
> >>
> >>>How about a local security policy on that PC, preventing xyz group from logging
> >
> > on locally??
> >
> >>I already tried it but it doesn't work since domain policies override
> >>the local policies.
> >
> >
> >
>
>

Yes, everything works now as I desired !
I just had to "move" the computer account (right-click on the computer
account in Active Directory and the choose move) to the OU I created.

Thanx for your advice Steven !
(mmmm I prob. could become a good system administrator :-) )

Steven L Umbach wrote:
> The OU has to be created in the same domain that your computer account exists in -
> apparently the child domain. There error you mention indicates a problem with your
> domain computer account and should have nothing to do with moving your computer into
> a different OU in the same domain. OU's are simply boundaries for managing
> policy/delegation and organizing user/computers. You may need to unjoin and rejoin
> your computer to the domain to fix your computer account. --- Steve
>
>
> "GM" wrote in message news:c50i7k$rh9$1@gaudi2.UGent.be...
>
>>My computer is now in a map (child of the domain root) called
>>"Computers" in Active Directory. So I created a new OU which is also a
>>child of the domain root in Active Directory (it is not possible to
>>create an OU that is a child of the map "Computers") and made my PC a
>>member of this OU (I had to remove it first from "Computers" )
>>I created a new Group Policy with the log on locally policy specifically
>>set for my account (and Administrators)
>>
>>But when I attempt to log in, I get an error message: "the system cannot
>>log you on to this domain because the system's computer account in its
>>primary domain is missing or the password on that account is incorrect"
>>(I'm sure the password is correct)
>>
>>So I have to Add my computer again to "Computers" and remove it from my
>>newly created OU so I am back to zero.
>>
>>What did I do wrong ?
>>
>>Steven L Umbach wrote:
>>
>>>Then you would need to put that computer in it's own OU - possibly a child OU of
>>>where it is now and then create a new GPO for that OU and configure the logon
>
> locally
>
>>>user right at that OU to meet your needs. --- Steve
>>>
>>>"GM" wrote in message news:c4u8u4$4db$1@gaudi2.UGent.be...
>>>
>>>
>>>>Firmbyte wrote:
>>>>
>>>>
>>>>>How about a local security policy on that PC, preventing xyz group from logging
>>>
>>>on locally??
>>>
>>>
>>>>I already tried it but it doesn't work since domain policies override
>>>>the local policies.
>>>
>>>
>>>
>>
>
>