In this video from IT Free Training I will
look at the exam objective Deny Domain Local Group. This exam objective is difficult to
find information on, but essentially it is a few Group Policy settings that can deny
users or groups access to particular rights on a computer.
A right on a computer essentially allows a user to do something. For example, some of
the rights include logging on locally, accessing the computer from the network, and accessing
the computer using remote desktop. These can be configured on the local computer by a local
administrator or using domain Group Policy. In some cases, a network administrator may
want to remove access for a user or group. This may be because of security reasons. For
example, in a secure environment, you may want to prevent the computer from being accessed
from remote via the network. Using deny local group you can remove the rights from users
of that computer regardless of what settings have been configured beforehand.
These settings can be found in the following Group Policy location. There are 5 settings
which can be configured. To have a better look at these settings, I will open Group
Policy management and then edit the Default Domain Policy.
I will next navigate down through Group Policy until I get to User Rights Assignment. Normally
when you assign rights to users, you would use a setting like “Allow log on through
Remote Desktop Services”. If I open this setting, normally you would
define the settings and then add the required users and groups that you wanted to use at
the bottom. The problem with this approach is the settings will replace whatever was
previously configured. If you only want to deny a user or group access, you would need
to enter in all the users and groups required minus the ones not required. This requires
the administrator to have knowledge of which users and groups have already been configured.
If I exit out of here and go down to the deny settings. These options can be used to effectively
remove access to a user or group without requiring any knowledge of what permissions have already
been applied. You can see the 5 settings that can be configured.
The first is “Deny access to this computer from the network”. This will prevent the
user or group from accessing the computer using the network, however this does not prevent
access to the computer using remote desktop. The next setting is “Deny log on as batch
job”. This refers to jobs that are run using the task scheduler that are not interactive.
Interactive means that it does not require access to the desktop. If this is enabled,
jobs that are attempted to be run using the task scheduler as that user will be denied.
The next setting, “Deny log on a service” prevents that user or group from being used
to run a service on the computer. The next setting “Deny log on locally”,
prevents a user from logging in locally to the computer. “Locally” essentially means
that the user is physically at the computer attempting to login rather than accessing
it from remote. The last setting is “Deny log on through
Remote Desktop Services”. This setting will prevent access to the computer using remote
desktop. If I open “Deny log on through Remote Desktop
Services”, to configure it is a simple matter of ticking “Define these policy settings”
and then adding the required users and groups. In this case I will add Domain Users which
will prevent any user in the Domain Users group from using Remote Desktop to access
the computer. Essentially I have removed access for the Domain Users group without knowing
the permissions that were already applied. You can see that using the deny setting can
make administration easier, however you should also consider who is in the group and make
sure that you are denying the people you required. This is the last video of the Group Policy
videos, all part of the free Active Directory course. If you want to see more from this
course and others, why not consider subscribing. Thanks, and see you next time.