– At the DC level (deny to authenticate): via ADUC, select user’s object properties, Logon to : add list of computers ; works for Windows and also for Unix-based computers (that can be authenticated against a Domain Controller (Centrify, Vintela, Kerb v5,Samba)
– by GPO (client side):
Security Settings, Local policies, User rights assignement, Deny log on locally, Deny access to this computer from the network ; but only for Windows based computers
Note: this policy is not understood by Centrify-based agent on Unix box !
To restrict the access to a Unix based computer:
– Use Centrify Direct Authorize 2011 / 2012
Note: Centrify 2012 brings more flexibility in terms of rights and roles ; DZ apply roles and rights at the PAM level
– Normal way on Unix-based computer: PAM files, /etc files