Thanks Laura Yes, all of our Servers are in a server OU which is then split into various OU's for specifics (Application, SQL, Citrix, DC, etc, etc) so a GPO will flow down to all the sub OU's except for the one that we have intentionally blocked all Policies from.
Also, to clarify, the Account is the Default Domain admin account which was renamed in the early years, so I can't just change the "Log On To..." option in the Account tab of the account. However, I'm thinking I might also be able to rename the account to something else, then create a new domain admin account with the same name and restrict it, there shouldn't be any problems restricting a normal account in the domain admin group to certain Servers / workstation. Sorry, forgot reply to all :( ) Thanks Dallas -----Original Message----- From: Laura A. Robinson [mailto:[EMAIL PROTECTED] Sent: Friday, 11 November 2005 1:31 PM To: Hindle, Dallas; [email protected] Subject: RE: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's Well, you can do this with Group Policy, but it's really going to depend on your OU structures. Assuming all of the machines/software using this account are servers, do you have your servers in a single OU structure? If this is the case, I can give you more information, but it's gonna be a lot of typing if this isn't the case, so I'll wait for your reply. :-) Laura > -----Original Message----- > From: Hindle, Dallas [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 10, 2005 8:16 PM > To: [email protected] > Subject: Deny Logon by Domain Admin account to specific PC's > or deny to all BUT specific PC's > > > > Hi all > > > > I assumed this was easy but I must be missing something... > > > > I have a domain admin Account that is used for Services, SQL > Processes, Scheduled Tasks and for automated logons for some > proprietary software... This account has had the password > leak out to a 3rd party whom has decided to share it with > other people in the company. > > > > As I'm sure you agree I need to get his account locked down > ASAP, I want to prevent logon to this account from any pc's > other than the ones I authorise, and I though this was a > simple process, I don't know what I'm missing but if anyone > has any suggestions it would be much appreciated. > > > > > > > > Thanks > > > > Dallas > > > > > > > > > -- > Message protected by MailGuard: e-mail anti-virus, anti-spam > and content filtering. > http://www.mailguard.com.au/mg > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
