Allowing Logon Access to Administrative Workstations

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

You can limit the locations where the service administrator accounts can log on by allowing logon locally to Enterprise Admins and Domain Admins only on administrative workstations. Administrative workstations are the computer objects in the Admin Workstations OU.

To ensure that the default Deny log on locally right is not applied by the Default Domain Policy GPO, you must also define this policy on the OU without adding any users or groups.

Requirements

  • Credentials: Domain Admins

  • Tools: Active Directory Users and Computers

To allow logon access to the Admin Workstations OU and override the Deny log on locally right in the Default Domain Policy GPO

  1. Log on with Domain Admins credentials, and then open Active Directory Users and Computers.

  2. In the console tree, right-click Admin Workstations, and then click Properties.

  3. On the Group Policy tab, click New.

  4. Type Service Administrator Policies, and then click Edit.

  5. Expand the policy tree to Computer Configuration\Windows Settings\Security Settings\Local Policies, and then click User Rights Assignment.

  6. In the details pane, double-click Allow log on locally.

  7. Click Define these policy settings, and then click Add User or Group.

  8. Add any groups to the list that you want to logon locally to the workstations, and then click OK.

    When possible, you should create custom groups for administrative purposes and then add members to those groups based on the administrative tasks to be performed. Once you have created those groups, you can add them to the appropriate administrative workstations and grant interactive logon permissions to those workstations. By granting interactive logon permissions to the administrative workstations, you can identify authorized users of those workstations and determine whether they are allowed to log on and access the system.

  9. In the details pane, double-click Deny log on locally.

  10. Click Define these policy settings, and then click OK.

Note

By default, Deny log on locally is not defined. If Deny log on locally is already defined, remove any users and groups from the list.