Wednesday, August 12, 2009

How to Prevent Interactive Logon using Local Policy

In some instances, a server is not a domain controller, it could be a Windows Client computer stuck in a corner of an office, or it could be a Windows Home Server, or some other type of windows machine.  The key thing here is that this computer is a sanctuary for data and usually accessed over the network, not by users logging into it.

By default, if you have a domain controller, such as Windows Small Business Server 2008, then disabling end-users from logging into such servers is done by default for you.  If you aren’t running a domain controller, you may want to ensure logon to the server is limited to just the administrators. 

To do this, you just have to change the local policy on this server.  Here’s how:

  1. Log in as an administrator to the client computer, verify that you are an administrator (this step is important, because if you make a mistake here, you could lock yourself out of the server!)
  2. Load up the local policy by going to Start, Run, and typing GPEDIT.MSC
  3. Once the Local Group Policy Editor loads, navigate down to to Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
  4. Select the Allow log on locally policy and remove the “Users” group from this policy and hit Apply

Local Group Policy Editor - Allow Log on locally policy

That’s it! you’re all finished.  Since this is local policy, there is no need to run a “gpupdate /force” to make it take effect.  Simply try to log in as a standard user account to the server again, and you’ll notice that access is denied, making your network more secure, even if you don’t have SBS!


Brian said...

I use and love Mesh as well but one advantage Live Sync has over it is that Sync will run on Windows Server. It's a great tool to mirror files between servers.