I have a GPO to deny interactive logon linked to Servers OU. In the policy, I'm denying interactive logon to an AD Group called "Deny interactive logon" (I know creative).
This policy IS NOT linked to the Domain Controllers OU.
Yet when I put a domain admin in this group, the policy applies and the domain admin CANNOT RDP to the DC.
Troubleshooting steps
Look at all GP's linked to the Domain Controllers container and none has Deny Interactive Login Setting
Ran a GPO modeling with the DA account and the DC ...exported the report html and search for anything "DENY" and nothing exists in the report with that word
I'm at a lost here why this is being applied to domain controllers when the GP is NOT linked to the domain controller container.
Help please!
