Hi, I preferably want to set a policy on an OU that contains users only. I'd like to prevent users from logging on to workstations but still allow them to authenticate to a web application. Unfortunately a computer policy to prevent interactive logon isn't viable as I can only apply this policy to users. Any ideas on a policy or another solution? Thanks

I preferably want to set a policy on an OU that contains users only. I'd like to prevent users from logging on to workstations but still allow them to authenticate to a web application. The question itself is bit ambiguous ! Say, if you had already managed to prevent users from logging on to their workstations, how would you expect them to authenticate to a web service WITHOUT allowing them to log to their WORKSTATION ? In this case, how an user would access web service without any means ? If you want users to authenticate a web service without allowing them to log on to the domain or a workstation, I am afraid, that's not possible as far as I know. An approach I can think of here would be to configure your web service to use ANONYMOUS authentication ! Please explain your issue in detail so that we can discuss this further and see if there is any resolution. That being said, it's possible to deny users from logging on to certain workstations in a domain using group policy. Please refer following discussion. how to prevent all users in a certain OU from accessing servers in a certain OU with group policy? http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/49ecfed8-54d8-437d-8892-1d24ebb0f5a1/ Regards, Santosh I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Hi, The web service is hosted in an external domain, different to the domain they log into their workstations with. The other article you link to is a Computer GPO and it's not going to be possible to apply computer policies. Thanks

The web service is hosted in an external domain, different to the domain they log into their workstations with. How users access the web service at present, through browser or by any other means ?Regards, Santosh I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Correct - through a browser

Correct - through a browser All right. When users use a web browser, why do you want to restrict their access on an external domain ? I presume, in your scenario, Users are just using the browser and supplying their credentials to log on the external web service or website, I don't see any security risk over here.Regards, Santosh I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Correct - through a browser All right. When users use a web browser, why do you want to restrict their access on an external domain ? I presume, in your scenario, Users are just using the browser and supplying their credentials to log on the external web service or website, I don't see any security risk over here. If external domain is in use by other users then what's to stop the web users logging on to the other domain? Nothing - you can expect that if these accounts are only suppose to be for the website then there's no policies etc. apart from the default/password policies/none at all Also the passwords are likely to never expire as they are for a website - they'll never be able to change their passwords as they don't log in. So you'll have people able to log in to workstations on another domain, with non-expiring passwords with little-to-no policies enforced... that sounds like a security risk to me!

Correct - through a browser All right. When users use a web browser, why do you want to restrict their access on an external domain ? I presume, in your scenario, Users are just using the browser and supplying their credentials to log on the external web service or website, I don't see any security risk over here. If external domain is in use by other users then what's to stop the web users logging on to the other domain? Nothing - you can expect that if these accounts are only suppose to be for the website then there's no policies etc. apart from the default/password policies/none at all Also the passwords are likely to never expire as they are for a website - they'll never be able to change their passwords as they don't log in. So you'll have people able to log in to workstations on another domain, with non-expiring passwords with little-to-no policies enforced... that sounds like a security risk to me!

Removing the 'domain users' group should achieve this. You'll have to set another group as a primary though before removing domain users. Domain users should stop them from logging in to workstations, but also allow them to authenticate (but there may need to be other security groups allowing access to the website - not domain users)