# Remotely manage Local Security Settings?



## StumpedTechy (Jul 7, 2004)

On all XP machines there is a Local Security Settings plugin that allows you to Deny users logins -

Admininstrative Tools > Local security settings > Local policies > User Rights Assignment > Deny log on locally 

Is there any way to modify this setting on a remote computer short of having to Remote Desktop to it and bring it down? Nowhere in the box is any option to connect to a remote computer.

I guess this could be put in the XP section.


----------



## Couriant (Mar 26, 2002)

As a domain admin, you can use mmc to set up the Local Group Policy on any machine.

(I think you can  I will need to check my notes but I'm sure you can)


----------



## StumpedTechy (Jul 7, 2004)

Recheck your notes I can't see the local security settings anywhere on the domain policies. When I connect to the PC remotely using the mmc this only shows a limited number based on the domain information (but does not connect to the local).

I found a MS KB article - http://support.microsoft.com/kb/Q274478

But this is really talking about 2000 and NT and were on XP and 2003. I did try the middle sction about "Take the entries found in the Local Group Policy Object which are stored in the %Systemroot%\System32\GroupPolicy folder, and then copy them to other clients where you also want to apply these Local Group Policy settings." Which sounded like it should work... but didn't apply on the copied to PC.


----------



## Couriant (Mar 26, 2002)

Go to MMC > File > add/remove snap in > Add > select Group Policy Object Editor > click Browse > select Computers Tab, add the computer name > OK the rest.

Pictures are end result. But having said that, I could not find for the life of me the Deny Log On Locally. I thought it was in GP.


----------



## Couriant (Mar 26, 2002)

I think that's not the right thing... opps


----------



## Couriant (Mar 26, 2002)

Hey ST:

I spoke to my Network Admin teacher and he suggested something which I'm sure you have seen, but if you are wanting a user to log in only to one machine, then under the properties of the user account > Account tab > Log On To button and then you can specify the computer/s that the user can use. Is that what you are looking for?


----------



## StumpedTechy (Jul 7, 2004)

Yup... the problem is we want most users to be able to move around so this log onto is too restrictive. The path/instructions you provided does not show the Deny log onto. Actually I think that is just a listing of the GPO not Local machine policy of what is set for the PC in question.


----------



## Couriant (Mar 26, 2002)

You are correct, I was thinking of the GPO and not Local Security. My teacher said probably the only other way is by a script. (again!) 

I think that the Log On To is the better option. Some of the users can't have everything you know


----------



## StumpedTechy (Jul 7, 2004)

LOL thats many users to have to lock down though. This way would be a change to only 24 PC's effectively stopping the exact thing we want... I just can't find the solution. You know anything about making Policy templates? maybe I can export something then make it import on login?


----------



## Couriant (Mar 26, 2002)

There is a Security Templates snap in. I was able to right click on the location and it says new template. But the only thing is that how are you going to get it to activate without RM or getting to the machine.


----------



## StumpedTechy (Jul 7, 2004)

This isn't looking promising -

"Unfortunately, local Group Policy by definition is local to each Windows 2000 computer and as such there is no Microsoft central configuration tool to help you define a standard LGPO you want to deploy onto each machine.You cant, as you might think, simply copy a configured computers GPO folder onto another computer. However, you can export and import the security policy within the local GPO together with additional security settings such as registry settings, service configurations, and ACLs.This is done using Microsofts Security Configuration and Analysis, which is covered next."

I have been d0ing some looking around ans local GPO manipulation seems a bit complex and conveluted without being straightforward -http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch05.mspx

I am gonna have to go over this with a fine tooth comb but it sure doesn't seem easy.


----------

