GPO, Deny local Logon, and end users….

Today I got a bit of a shock while trying to do some troubleshooting on a new server.  I could not access the resource monitor to see what was causing some odd interface delays.  Finally I looked and the server was logged on by one of my domain users.  This is very interesting as I have domain users blocked from logging into my servers locally.

(As an FYI, I accomplished this by having a separate GPO for servers and domain controllers.  Then I edit the GPO and under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment I define the “Deny log on locally” policy and add the user group I want to block (in my case, Domain Users) to that group.)

Anyway, it seems that I added the server to the domain and left for lunch.  Then, in what must have been the minute after I left, this end user went into the server room (which doesn’t have any physically security because we are just moving in to a new building) and logged into the server.  The oddity here is that I must have added it to the domain and not rebooted.  Then this guy came in and logged me off and him on and went about doing his business (he wanted to show someone the security cameras which is extra humorous as the security cameras aren’t even on any of the network servers) and then walked away.

So I returned from lunch and nothing seemed to be working quite right.  Everything seemed sluggish and I couldn’t do a Resource Monitor (it said I didn’t have permission…) and things just seemed off.  But then I had to leave and return back to the main office.  I touched on it again on Friday but couldn’t seem to find a cause.  But finally today I figured it out when I saw the end user’s name on the start menu.  I called him and asked him if he logged into a server.  “No.  Not me” he said.  I gave him some more detail like the specific time and date and suddenly his memory was restored.  I told him he wasn’t allowed in the server room at all much less touch the servers.  “But the door was open” he claimed.  A moot point, I said, since none of the doors in the entire office had been put on yet.  That didn’t give him a right to touch it.

So here I am, checking and rechecking everything to see if he did any damage or anything nefarious.

Ugh…end users….