We have an AD domain (still on-premise) that supports a library, among other things. This library has a number of public computers, and these public computers are in their own OU in Active Directory. We also have a generic public
guest login our librarians can use to give outside guests access to the machines.
I want to limit this account — and only this account — so it can only access computers in the PublicComputers
OU.
We have many other users who should also still be able to login to these computers and others.
I am aware of the Log On To...
button on a User object in AD, but this is a poor fit as these computers come and go. The OU membership is maintained for other reasons, but if we need to use that button every time a computer moves around it will quickly end up out of date.
The relevant parts of our AD hierarchy look like this:
Domain Root > InstitutionComputers > Library > PublicComputers
> ServiceAccounts > public
> Users (group) > {ManyOtherUsers}
> OtherOU > {ManyOtherUsers}
How can I do this?
I've tried a setting a Deny Logon policy at the domain level to include the public account, and then another Deny Logon policy at the more-specific OU level that does not include the account.
In testing this works on some machines, but others will block the public user from logging in. If I look in Local Security Policy from a machine that is not working I see it has the full policy from the domain level, rather than the OU level, but I have confirmed the machine is a member of the correct OU. Additionally, gpresult
shows both policies. (I'm adding this info to the question, also), so I know the more-specific policy is matching these computers. This continues to happen even after running gpupdate /force
and restarting the computer.
It turns out I had a misconception of how "enforced" works in Group Policy, where it's more like css !important vs enabled/disabled. Unmarking "enforced" allowed the documented precedence rules to work, while still applying all the policies.