RE: Restricting users from logging on to computers outside their OU

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi Jeffrey,

There's really two ways you could go about it but both are going to involve
putting all the users in the Distribution OU into one security group, all
the users in the Sales OU into another, etc.

Option 1. One way to accomplish this would be specifying who can logon vs.
who cannot logon. This can be done via a GPO on each of the respective OUs
that defines
Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment\Allow log on locally as the respective security group for that
OU plus of course your Domain Admins group and any local users groups you
may need.

Option 2. Specify who cannot logon locally. This can be done via a GPO
linked to each of the respective OUs that defines
Computer Configuration\Windows Settings\Local Policies\User Rights
Assignment\Deny log on locally


Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Jeffrey" <jeffreyvsmith@xxxxxxxxx>
Newsgroups: microsoft.public.windows.group_policy
Subject: Restricting users from logging on to computers outside their OU
Date: 16 Aug 2006 09:22:59 -0700
Organization: http://groups.google.com

We have quite a few OUs in our active directory setup according to
physical sites. For example, we have a Distribution OU which contains
all users and computers for that building. The same with Sales, the
same with Corporate HQ...Is there a way through group policy that I can
restrict users from logging on to computers outside of their OU? Maybe
setup some kind of security group and deny local logons or something?



.

Relevant Pages

  • Re: Restricting users from logging on to computers outside their OU
    ... putting all the users in the Distribution OU into one security group, ... One way to accomplish this would be specifying who can logon vs. ... Restricting users from logging on to computers outside their OU ... we have a Distribution OU which contains ...
    (microsoft.public.windows.group_policy)
  • Re: Applying to Multiple Computers
    ... I don't have a SBS server here to check, but if my memory serves me correct ... under the domain for computers - then OUs for the various groups (typically ... filtering except when there's no other option. ... I have now tried creating a Security Group in both the "SBS Computers" and ...
    (microsoft.public.windows.group_policy)
  • setting up local logons
    ... We use Server 2003 and almost all our workstations are running winXP SP2 ... belong to specific security groups can logon to the computer on which the ... security group is listed as either in the users/Power Users/ or Admin ... staff, and students to log on, but other computers in the same OU are only ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group Policy Software Installation
    ... If you created a security group and then made the computers in question a ... member of that security group and then added this security group to the ... Share and Security tab it *should* have the same affect as adding the Domain ... permissions but forget about the Security "tab" permissions. ...
    (microsoft.public.windows.server.active_directory)
  • Re: under a domain, how do i give users full control of their work
    ... the OU where your computers are stored in AD Users and Computers and ... Settings - Security Settings - Restricted Groups and you can add that ... Security Group you create that holds all the user accounts to the ... do whatever they want on their on local machines? ...
    (microsoft.public.windows.server.active_directory)