Shulou(Shulou.com)06/01 Report--

I would like to share with you how the group policy limits the permissions of domain users. I believe most people don't know much about it, so share this article for your reference. I hope you will learn a lot after reading this article. Let's take a look at it!

Microsoft's default active Directory environment is very insecure. When configuring the network, many network managers will re-configure according to the security rules. It should be noted that any domain account can log on to any member's computer other than DC (domain controller), which will undoubtedly bring great hidden trouble to the security of our enterprise information. In order to ensure the security of the entire network system and ensure that confidential files are not leaked, we must use group policy to specify the computers on which domain users are allowed to log on. Here are the detailed methods:

Setting method:

Suppose we only allow domain users to log on to their own computers, but not other computers. Of course, this is not very flexible, but this method is the most effective.

Enter dsa.msc in start running to open ADUC (active Directory users and computers), select the target user you want to operate, in the user Properties window, switch to the accounts tab, and select Log in.

In the LogonWorkstaions window, the user can log in area, select all of the following computers, and add the computer name used by the domain account to the list of computers. The figure below is as follows

Recommendations:

Considering that many corporate office platforms, such as OA and wiki, support ldap authentication, many IT managers set up to use domain accounts to log on to these platforms in order to save administrative overhead. If this is the case, it is strongly recommended that the computer name of DC (domain controller) be added to the computer list in the figure above, so as to avoid the problem of not being able to log on to other office platforms.

Of course, some friends may ask, does this reduce security? In fact, you can rest assured that because ordinary domain users are denied local login in the domain controller security policy, these ordinary users cannot log on to DC (domain controller) locally.

The use of group policy to restrict domain users to only log in to their own computers, which undoubtedly maintains the network security of the system.

The above is all the content of the article "how Group Policy restricts the permissions of domain users". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.