MCITP 70-640: Deny Domain Local Group
Articles,  Blog

MCITP 70-640: Deny Domain Local Group

In this video from IT Free Training I will
look at the exam objective Deny Domain Local Group. This exam objective is difficult to
find information on, but essentially it is a few Group Policy settings that can deny
users or groups access to particular rights on a computer.
A right on a computer essentially allows a user to do something. For example, some of
the rights include logging on locally, accessing the computer from the network, and accessing
the computer using remote desktop. These can be configured on the local computer by a local
administrator or using domain Group Policy. In some cases, a network administrator may
want to remove access for a user or group. This may be because of security reasons. For
example, in a secure environment, you may want to prevent the computer from being accessed
from remote via the network. Using deny local group you can remove the rights from users
of that computer regardless of what settings have been configured beforehand.
These settings can be found in the following Group Policy location. There are 5 settings
which can be configured. To have a better look at these settings, I will open Group
Policy management and then edit the Default Domain Policy.
I will next navigate down through Group Policy until I get to User Rights Assignment. Normally
when you assign rights to users, you would use a setting like “Allow log on through
Remote Desktop Services”. If I open this setting, normally you would
define the settings and then add the required users and groups that you wanted to use at
the bottom. The problem with this approach is the settings will replace whatever was
previously configured. If you only want to deny a user or group access, you would need
to enter in all the users and groups required minus the ones not required. This requires
the administrator to have knowledge of which users and groups have already been configured.
If I exit out of here and go down to the deny settings. These options can be used to effectively
remove access to a user or group without requiring any knowledge of what permissions have already
been applied. You can see the 5 settings that can be configured.
The first is “Deny access to this computer from the network”. This will prevent the
user or group from accessing the computer using the network, however this does not prevent
access to the computer using remote desktop. The next setting is “Deny log on as batch
job”. This refers to jobs that are run using the task scheduler that are not interactive.
Interactive means that it does not require access to the desktop. If this is enabled,
jobs that are attempted to be run using the task scheduler as that user will be denied.
The next setting, “Deny log on a service” prevents that user or group from being used
to run a service on the computer. The next setting “Deny log on locally”,
prevents a user from logging in locally to the computer. “Locally” essentially means
that the user is physically at the computer attempting to login rather than accessing
it from remote. The last setting is “Deny log on through
Remote Desktop Services”. This setting will prevent access to the computer using remote
desktop. If I open “Deny log on through Remote Desktop
Services”, to configure it is a simple matter of ticking “Define these policy settings”
and then adding the required users and groups. In this case I will add Domain Users which
will prevent any user in the Domain Users group from using Remote Desktop to access
the computer. Essentially I have removed access for the Domain Users group without knowing
the permissions that were already applied. You can see that using the deny setting can
make administration easier, however you should also consider who is in the group and make
sure that you are denying the people you required. This is the last video of the Group Policy
videos, all part of the free Active Directory course. If you want to see more from this
course and others, why not consider subscribing. Thanks, and see you next time.


  • Sanctus Yanni

    I really wish I can pay you back somehow for such a great effort you are doing, as for now, I'm just letting everyone know about you, and liking every video I watch, they are all spectacular btw.
    I wish you can Grow big that you can include all the IT technologies out there.
    Best Regards,

  • Darren Edwards

    Hi I was just wondering since these exams will be retired on the 31st of July 2013. Are you planning on making videos for the new exams, 70-410?
    Thanks for sharing the great videos!

  • itfreetraining

    Thanks for taking the time to leave a commnet. Watching the videos is all the pay back that we required. 🙂

  • itfreetraining

    We have started making videos for 70-410. The remain videos for the Active Directory coruse we are working on releasing 2008 and 2012 videos at the same time. For example, certificates we are working on now we have demo for 2008 and 2012.

  • Omer Mahgoub Hamad

    I don't know how to thanks you. I learned a lot from you. Thanks you
    BTW What next course we might expect?

  • itfreetraining

    Thanks very much. The next part of the course is DNS, however we will be releasing Certificate first since there seem to be more demand for that and also we allready have some videos on DNS.

  • Omer Mahgoub Hamad

    DNS ? Another DNS videos rather than already in the website. Would be great if you show how to use secondary DNS servers "UNIX"

  • itfreetraining

    The new videos are not course specific like the previous ones were. They are also not OS specific where possible. This means that we should be able to cover the core DNS topics that relate to all operating systems and then provide specific videos for particular operating systems.With any luck in the furture will be able to add quite easily add unix related DNS videos into the new videos. The view then just needs to choose the play list they want for the operating system they want.

  • Sahir Khan

    Sir i like ur videos so much. i did preparation for exam 70-642 from ur tutorials.. and u knw i got 92% marks.. very very conceptual videos..
    now i m doing preparation for 70-640 exam. i watched all the 73 videos. very appreciated… but let me tell you that there is no video about Active Directory Certificate Authority and Federation Services..
    Plz also upload them.. thxxxxxxxxxxxxxxxxxxx alooooooooot
    wish a happy life for all doing this effort and even for free……………..

  • itfreetraining

    Thanks very much for watching the video. We are working on Certificates, Federation Services, Lightweight Directory Services and Rights Management Services at the moment.

  • Sahir Khan

    Hi Sir,
    i need 1 answer.
    u have AD Domain and a server named server2.
    server2 is currently in workgroup and installed server 2008 R2 standard OS.
    when u try to configure server2 as Enterprise subordinate CA, the option is unavailable.
    1:upgrade to server 2008 R2 enterprise
    2:import the root CA
    3:join server2 to Domain
    4:log in as administrator and run server mangr.
    what wud b microsoft recomended answer b/w 1 & 3.
    i did search but found no answer satisfied with..
    thx 4 ur time………

  • Sahir Khan

    Hi ricsip,
    if i completed this exam b4 31'st july , will i get my certificate from microsoft?
    2nd thing is that i heard that if u complete mcitp enterprise exam, u 'll have 2 certificates
    1: MCSA
    is it true.?

  • Vic Paumen

    Hi! I am just stopping by to say thank you very much for the knowledge that you are sharing. I am preparing for the 70-640 exam and although, I was reading multiple books I had no sense of where to start and what subjects are the most important. After watching 6 of your videos all I can say is wow. You sir have a talent for teaching, the material is excellent but the way you present it is amazing.
    Thank you so much for sharing this.

  • itfreetraining

    On the web site Group Policy Central there is quite a good article on how to do this. It is called "How to use Group Policy to Allow or Block URL’s". We will keep this in mind for future videos however can't say for sure if we will do it or not.

  • itfreetraining

    There are some more videos released on the web site, the playlist should be updated in the next week or 2 as there is some videos that need to be released before we can do that otherwise the list would be out of order.

  • ToBeVerified

    I've now watched all 73 videos in the Active Directory playlist in 4 days, and this is probably the best video tutorial series I have ever seen; much better than most of the non-free video tutorial series I have seen. It is clear, informative and it never gets boring. Thanks a ton!

  • Yang Wang

    Thanks again for the great efforts! My question is, if you deny the domain users group as you did in the example, will that affect the users also belong to the domain admin group?

  • itfreetraining

    Yes they will be denied access. For example if you added the everyone group it would deny everyone including administrators.

  • Ruwan Pradeep

    biggest qualification for job . thank you so much, i completed playlist just now. that mean after 5 years from uploading. still valid

Leave a Reply

Your email address will not be published. Required fields are marked *