This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 95%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
I have a question:
In my organization we have a requirement for users of a certain OU. Those users should only be able to authenticate to the domain but not access its resources.
You only need to use active directory authentication to access certain web applications.
I have not found how to limit access, do you have any ideas?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
As Thameur said above if the requirement is that these users cannot log in to domain computers. We can just deploy a group policy :Deny logon locally and add the user to the deny scope .
For example:
Create a gpo and link it to the OU containing computers the users can't log to.
Edit the GPO as following:
Please let us know if you would like further assistance.
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
By default when you create a simple domain user, he will have only the read right on all active directory object , so he is unable to modify any object in domain.
So, you don't need perform any action to limit user access. because he don't have any access by default.
Please don't forget to mark this reply as answer if help you to fix your issue
Hi,
Based on my research, if you want to limit access to domain objects, you can consider use the delegation control on the domain or a OU:
Add the users to a security group , and assign the permission what you want.
If you want to limit access to the resource in from file servers or other resource, i'm afraid you have to limit the acce from the resource side (the share permission and the NTFS permission)
Best Regards,
One of the requirements is that these users cannot log in to domain computers. But they must be able to authenticate to the domain.
The "Log On To" option is not functional for me.
Hi,
You can use set a GPO to be applied on domain computers to deny logon locally this user:
Please don't forget to mark this reply as answer if it help you to fix your issue
