Disallow domain users from logging in using local accounts
1. Users are prohibited from logging in using local accounts. What is prohibited is setting computer permissions, not account permissions.
- Open Active Directory Users and Computers
-
Find computers. Under computers are all computers that have been added to the domain.
-
Add the computer that needs to prohibit local account login to the created organizational unit (drag the computer to the created organizational unit)
2. Open Group Policy Management
- Select Forest – Domain – Organizational Unit
- Right-click on the organizational unit and select Create GPO in this domain and link here
- give a name
- Right-click on the GPO you just created and edit
- In the opened Group Policy Management Editor, open Computer Configuration – Policies – Windows Settings – Security Settings – Local Policies – User Rights Assignment – Deny local logon
- In Deny local login, add the local administrator account, local account group, local account and management group member group in sequence.
3. The setting of prohibiting domain users from using local accounts to log in is completed. If you use local accounts to log in on domain users’ computers, you will be prompted that the login method you are trying is not allowed.