Restricting Logins to W2K Pro

[SoulAssassin]

So I have a W2K Pro box on a domain that I need to restrict only a certain group access to. The only accounts that should be able to access it is the local admin acct and this domain group (which is in the local admin group). Blocking everyone and keeping this group in the local admin group won't work because, correct me if I'm wrong, permissions are most restrictive in this case and it will block everyone. Modifying the 'log on locally' settings in the local security policy won't work because they're logging on with domain accounts. Allowing only the local admin group NTFS permissions to the \winnt dir (or the C drive as a whole) may work, but that's dirty.

Suggestions welcome.

 

[SoulAssassin]

^^

 

[LiLithTecH]

Maybe this will help you.

Restricted groups, in the Default Domain Group Policy,
allow you to define the Members and Member Of properties.

The Members list defines who should/should not belong to
the restricted group. The Member Of list specifies which
groups the restricted group should belong to.

When a Restricted Group policy is enforced, any current
member of a restricted group that is not on the Members
list is removed, with the exception of Administrator in
the Administrators group. Any user on the Members list
who is not currently a member of the restricted group is
added.

With Member Of, the Restricted Group is NOT removed from
other groups, but it is added if missing.

The Restricted groups policy can enforce membership of
built-in or user-defined groups, both Global and Domain Local.
When enforced, Restricted groups policy automatically sets any
computers local group membership to match the membership list
settings defined in the policy, overriding any changes made by
the local computer's Administrator