We have the typical problem of how to deny a local server account from being able to logon interactively or remotely to any server in the domain, using a domain GPO.
My understanding was that when AD processes something like the Deny Local Logon user rights assignment in a GPO, it reads the account name and looks up the SID for that account in the domain and then matches that SID to the SID of the account that's trying
to logon. Then if the SID matches, access is denied. In that scenario it's not possible to use a domain GPO to deny logon access to the local account because AD doesn't know about the SIDs of locally defined IDs on member servers.
However, someone recently told me that the matching is not done using the SID but instead using the actual user or group name (string). Is this correct? Let's say I create a local account called 'Localservice' on a member server and then add just 'Localservice' (not domain\Localservice) to the list of users in a domain GPO that denies interactive logon to all servers. The suggestion would be that anyone attempting to logon to any server with the any ID called 'Localservice' would be denied access?
Is this string-matching explanation correct?
