Re: Blocking a group of users from logging onto a wkstn.

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 04/07/04 

Date: Wed, 7 Apr 2004 08:06:04 -0400

Guys,

Sorry that I was MIA last night. Had a lot of work to do after hours at one
of our main clients. My wife called me while I was there to let me know
that our Internet connection was not working and I just now fixed it.

Anyway, I might explore the Restricted Groups method. I posted the link in
my reply to Herb. Here is it again just in case...

http://support.microsoft.com/?id=320065

It might be a way to resolve this for you without having to go through my
first suggestion....Herb is right in that can be very tedious and ugly, even
if you were to use ldifde to help you....

Cary
"Herb Martin" <news@LearnQuick.com> wrote in message
news:ekb2ZhFHEHA.3276@TK2MSFTNGP09.phx.gbl...
>
>
> --
> Herb Martin
> "Glenn C" <anonymous@discussions.microsoft.com> wrote in message
> news:1F385A0B-8CDA-4BE8-9B14-31A6E4CE8FAB@microsoft.com...
> > Sorry I guess I should have been more detailed...
> > I have 650 wkstns, 2500 users, these are all in a domain broken down by
> each school (12). I want to block all students from logging onto a few
> specific machines (admin) computers. The student GPO is globally the same
> for all sites so this would affect all the sites if modified, the same
with
> the teacher GPO.
>
> You can make additional GPOs if we can find an easy way
> for you to accomplish the goal.
>
> >So I was wondering if in active dirrectory users and computers I can
> elimated say the authenticated users from specific machines in the
> security tab and just add the teacher group?
>
> No, "Authenticated Users" is an AUTOMATIC group like
> Everyone, but essentially this idea is what Cary and I were
> discussing for you but using Users membership on the
> workstations and a group, either new and existing to
> grant the right ONLY to them by adding them to "Users"
> and removing the default "Domain Users" from it.
>
> > Or if you can think of any way to accomplish this. I know the brain food
I
> have been eating has not helped me lately except my girth...
>
> We can accomplish it -- by modifying the group memberships,
> but it is tedious -- changing each machine so we are trying to
> figure out a way to do it with GPOs using the Restricted
> Group feature.
>
>

Relevant Pages

  • Re: slow log in
    ... > From time to time I need tools to accomplish my task. ... > application for logging the scripts and application of the GPO from the ... > "Herb Martin" wrote in message ...
    (microsoft.public.win2000.networking)
  • Re: Blocking a group of users from logging onto a wkstn.
    ... There is a MSKB Article that shows you how to do this ... > Just remember that you are not restricted to the local Administrators ... > "Herb Martin" wrote in message ... >> the domain GPO to specify the membership of a MACHINE ...
    (microsoft.public.win2000.active_directory)
  • Re: Block Games by using group policy
    ... or use the GPO to set the permissions. ... > "Herb Martin" wrote: ... >> It is possible to specify which programs a user can run ...
    (microsoft.public.windows.server.active_directory)
  • Re: GPO & IPSEC question
    ... "Herb Martin" wrote in message ... >> GPO Comparison ... >> any easy compare by running the GPO against the original saved one. ... What if your Root CA is offline and you want to use a sub ...
    (microsoft.public.windows.server.security)
  • Re: Published apps categories
    ... John, within Group Policy Object Editor (when you edit a GPO in the domain) ... Categories tab, Click Add to add the particular Category. ... "Herb Martin" skrev i meddelandet ...
    (microsoft.public.windows.server.active_directory)