On 10/3/19 10:28 AM, Emil Petersson wrote:
Hi,
The docs for ad_gpo_implicit_deny reads:
"Normally when no applicable GPOs are found the users are allowed access. When this
option is set to True users will be allowed access only when explicitly allowed by a GPO
rule. Otherwise users will be denied access. This can be used to harden security but be
careful when using this option because it can deny access even to users in the built-in
Administrators group if no GPO rules apply to them."
In my case, there are GPOs found, it's just that none of them touches
RemoteInteractiveLogonRight or DenyRemoteInteractiveLogonRight.
Does ad_gpo_implicit_deny work in such a way that it's only effective when no (0)
GPOs are found? That might explain the behaviour I'm seeing. If this is the case, I
suggest that ad_gpo_implicit_deny should be effective also when none of the detected GPOs
explicitly allows or denies remote logon.
Sorry, I missed your response.
You are right the ad_gpo_implicit_deny only works when there is not
policy found on the server that applies to the user (0 GPOs applicable).
If there is a GPO that is applicable, but does not contain any
access control rules then the ad_gpo_implicit_deny does not kick in.
I completely missread the logs you send before. I gave the feature
a smoke test and it worked for me.
Michal