Re: better way to limit users/group to logon to specific workstations?

Tech-Archive recommends: Speed Up your PC by fixing your registry

Howdie!

baileyk9 schrieb:
Is there a better way to do this:
We limit a set of user accounts to logging on to specific workstations by using the "Logon Workstations" property of each of those user accounts. Seeking advice on a more manageable solution - using GPOs, and/or restructuring our OU's for these resources if necessary.

scenario: 15-20 user accounts, and 50-60 workstations that they can log on to (10-20 per user account, but it would be OK to give them access to all 50-60 workstations, since they are at different locations and will never be able to log on to those outside their site anyway). Managing this is a mess as the list of PCs they can log on to changes (PCs are added to or removed from service).

Best thing would be, if you could group the machines in OUs and the users that access it by security groups. That way, you could easily work with Anthony's suggestion, linking a Group Policy to the machine's OU and assign the "Allow log on locally" right to the security group you created for the appropritate users:

CompConf\Security Settings\Local Policies\User Rights Assignment\

You then need to remove the "Authenticated Users" from the list. Be sure to keep an option for you and your IT guys to log on to those machines.

....and beware of the "Deny log on locally" policy. I've seen many people locking themselves out with that. Best thing is you better leave it alone and work with "Allow log on locally" as described.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
.

Relevant Pages

  • Synchronizing problems, Icons not dissapearing, redirection proble
    ... I am running a Windows 2000 Server machine ... workstations are running Windows XP. ... The user accounts are located under the container. ... logged in to his account, in a different station or the same one, the icons ...
    (microsoft.public.windows.server.active_directory)
  • Re: better way to limit users/group to logon to specific workstati
    ... We limit a set of user accounts to logging on to specific workstations by ... That way, you could easily work ... Microsoft MVP - Windows Server - Group Policy. ...
    (microsoft.public.windows.group_policy)
  • Re: better way to limit users/group to logon to specific workstati
    ... using the "Logon Workstations" property of each of those user accounts. ... That way, you could easily work ... Microsoft MVP - Windows Server - Group Policy. ...
    (microsoft.public.windows.group_policy)
  • Re: Does anyone truly use Restricted User Accounts?
    ... > local administrator privileges, after Jeff Middleton announced that it was ... > is to make the distinction between user accounts and users. ... >> workstations and network. ... >> user to have local Admin rights. ...
    (microsoft.public.windows.server.sbs)
  • Re: File Share Security
    ... In a Windows 2000 domain default installation a domain ... workstations to the domain" in Domain Controller Security Policy under user rights. ... Perhaps you were thinking of user accounts. ... communications] is required and laptop does not have it configured, ...
    (microsoft.public.win2000.security)