Denying Logon Access to the Domain
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
To deny logon access to a domain, limit the locations where the service administrator accounts can log on by denying log on locally to members of the Enterprise Admins, Domain Admins, Server Operators, Backup Operators, and Account Operators groups at the domain level. Doing so prohibits administrators from logging on to any computers in the domain. Also, be sure to follow the procedure in the next section, “Allowing Logon Access to Administrative Workstations,” for restoring logon capability to administrators so that they can log on to administrative workstations.
Requirements
Credentials: Domain Admins
Tools: Active Directory Users and Computers
Warning
Do not use this procedure without also following the procedure in the Allowing Logon Access to Administrative Workstations procedure. Failure to perform both procedures can result in your service administrators being unable to log on to any workstations or member servers in the domain.
To deny logon access at the domain level to service administrators
Log on with Domain Admins credentials, and then open Active Directory Users and Computers.
In the console tree, right-click domain_name, and then click Properties.
On the Group Policy tab, click Default Domain Policy, and then click Edit.
Expand the policy tree to Computer Configuration\Windows Settings\Security Settings\Local Policies, and then click User Rights Assignment.
In the details pane, double-click Deny logon locally.
Click Define these policy settings, and then click Add.
Add all of the service administrator accounts (Administrators, Schema Admins, Enterprise Admins, Domain Admins, Server Operators, Backup Operators, and Account Operators) to the list.