How to Deny Domain Admins to Log On Locally on Workstations.

This tutorial contains step-by-step instructions on how to prevent domain administrators to logon-on locally on domain joined computers (Workstations).

Domain Admins have (by default) administrative permissions on every computer in the domain. But this increases the security risk, because if a single domain administrator account is compromised, the attacker can gain control of every machine in the domain. Therefore, preventing domain administrators from logging on locally to domain computers is the best practice to eliminate this security risk.

* Info: By not allowing domain administrators to connect locally to workstations, you achieve an increased level of security on your network without removing the ability to perform other administrative tasks. (e.g. to manage workstations from “Active Directory Users and Computers”).

How to Not Allow Domain Admins to logon locally on Active Directory Domain computers via Group Policy (Server 2016/2019).

To prevent domain administrators from logging on locally to domain computers:

1. Open Server Manager and from the Tools menu open the Group Policy Management.

2. In Group Policy Management, either edit the default domain policy or -better- create a new group policy for the entire domain or just for the OU that contains the Computers on which you want to deny domain admins to logon locally.*

* Note: In this example, we proceed to not allow domain admins to login locally, by creating a new GPO on a specific OU called “Workstations”, that contains all the domain computers where we want this policy to apply.

3. Right-click and select Create a GPO in this domain, and Link it here…

4. Name the new GPO as “Deny Domain Admins to Logon Locally” and click OK.

5. Now Edit the created GPO.

6a. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

6b. Now open the Deny log on locally policy.

7. Enable (check) the option “Define these policy settings” and then click Add User or Group.

8a. Click the Browse button.

8b. Type “Domain Admins” and click Check Names.

8c. Then click OK and OK again to save the change.

9. Finally, click Apply > OK to save the GPO.

10. Close all the Group Policy Management windows.

11. Finally, open Command Prompt as Administrator and give the following command to apply the changes (or restart the workstations):

• gpupdate /force

12. From now on, every time a domain administrator tries to connect locally to a workstation, they will get the error:

“The sign-in method you’re trying to use isn’t allowed. For more info, contact your network administrator.”

That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free:

Konstantinos is the founder and administrator of Wintips.org. Since 1995 he works and provides IT support as a computer and network expert to individuals and large companies. He is specialized in solving problems related to Windows or other Microsoft products (Windows Server, Office, Microsoft 365, etc.).

Latest posts by Konstantinos Tsoukalas (see all)

Adblock test (Why?)