Hello to all,I have the following case, that i need to create domain users in AD without log on to domain rights and permissions. That they have only browse to internet through ISA Server right and nothing more. ....I mean, when localy authenticated user open the IE browser the credentials window must appear with requesting a domain user name and password to surfing to the internet. I need these user accounts to create only for this operation.Do you know how to do this or have some experience with this action.Any suggestions or advices will be kindly appreciated.... and they will be so helpful for me.Thank you very much in advance,

You can create separate security group, add all external users to it. After that you will have to create new Group Policy object where you remove logon rights from this group and link this policy to domain level.http://www.sysadmins.lv

Could you explain simply... how to remove the logon rights and then link policy to domain level. I mean that, i can make this from group policy management console or from local security policy ? And do you suggest me precisely which logon right to remove and make it denied.. that users do not have access perimissions to log on to domain and to domain resources.. ?Thanks a lot,

Hello, To create a restricted group: 1. Create a new security group such as "Deny Domain access group" and add all limited domain users as member. 2. Create a new group policy such as "Deny TS access GPO" and link it to the domain. 3. In the group policy, add the "Deny Domain access group" to the Deny log on locally and Deny log on through Terminal Services group policy setting. Those two group policy settings will prevent the members of the group from log on locally or log onto the clients via TS. More information for your reference: Deny log on locally http://technet.microsoft.com/en-us/library/cc728210.aspx Deny log on through Terminal Services http://technet.microsoft.com/en-us/library/cc737453.aspx Moreover, if authentication before Internet Access is alternative according the policy in your organization, you may add Everyone group in the ISA firewall rule which define the Internet access to allow non-domain users to Internet. If you have any questions or concerns, please do not hesitate to let me know.

Thank you very much for your attention MiLes Li,I have try already all the solutions posted above, so i've configured new GPO and "deny log on locally" and "deny log on through Terminal Services" in it... and link it also to domain.I have also try the following cmd lets "gpupdate" on domain controller and gpupdate /force on client computers, but without any issues..... damned...

you need to relogon all users to take effect.http://www.sysadmins.lv

Vadims, I have try this already..... relogon, restart and etc.... It was a lot of many times....And also, i have Windows Server 2008 for domain controllers..

So???? did anyone ever get this working?? I’m trying to do the same with no luck Created a new OU To which I have added the GPO. Added a new group that I have put the users in. Added that group to the GPO Security Filtering. then added the same group to Deny Log On Locally and Deny Log On Through Remote Access. In server 2008GPO its under Computer Configuration>Policy’s>Security Settings>Local Policy’s>User Rights Assignment Is this correct?? Thanks