Re: better way to limit users/group to logon to specific workstati

OK, I see what you mean. You can still do it in policy, but with the Deny
logon locally setting, and apply it to all computers except the ones you
want them to log on to. You would apply this policy to all computers, but
in the Security tab of the policy you would Deny the policy to the group of
computers that you wanted them to be able to log on to. So the Deny policy
will be denied to them. Make sure you test in a Test OU with test account
and test computer!
Following your own idea, you could also script it by maintaining a list of
allowed computers and writing them to that AD Account field. You could
administer it by maintaining membership of a group of computers and a group
of users, then in the script "unpacking" the group membership. It sounds a
very cumbersome process though. You need it to apply to a group of users,
but you would need to run it so that it takes effect whenever you change the
list of users or the list of computers.
Hope that helps,
Anthony, http://www.airdesk.co.uk


"baileyk9" <baileyk9@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6D230D93-88A2-4F91-89BC-CDF0500FDE2A@xxxxxxxxxxxxxxxx
Anthony - appreciate your input.

Your solution is a valid approach, however, we're really hoping to do this
based on the user account, instead of messing with local policy on all our
(other) machines. We're not trying to secure a subset of machines (your
solution perfect for that), we're trying to limit a subset of users to a
subset of PCs (that anyone else can still also log on to).

In other words, instead of: "here's a set of machines and only these
accounts can log on to them" (the way I read your solution),
we want: "here's a set of accounts and they can only logon to these
machines" .

Basically, we want the equivalent approach to the user account "Logon
Workstations" attribute - applying to the user accounts (or group or OU)
instead of the computers themselves, except using GPO instead of the
account
properties.

??

thanks
< Bailey

"Anthony" wrote:

Hi Bailey,
You can control who can log on to a computer with the User Rights
Assignment
setting, Log on Locally. This is a computer policy, and by default
includes
the local group Users, which by default in a domain contains domain
users.
You can remove Users, and add whatever group you want. Or you can control
membership of the local group Users.
Apply this policy to an OU where the computers are. You can either create
a
dedicated OU, or you can contol which computers the policy applies to by
editing the Security of the Group Policy Object. By default it is read
and
applied by Authenticated Users, which includes all computers. In the
policy
Security tab, you can remote (or uncheck) Authenticated Users and add the
computer group you want the policy to apply to.
Hope that helps,
Anthony, http://www.airdesk.co.uk



"baileyk9" <baileyk9@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1D714436-E9E3-4A44-892B-F1407D95A80F@xxxxxxxxxxxxxxxx
Is there a better way to do this:
We limit a set of user accounts to logging on to specific workstations
by
using the "Logon Workstations" property of each of those user accounts.
Seeking advice on a more manageable solution - using GPOs, and/or
restructuring our OU's for these resources if necessary.

scenario: 15-20 user accounts, and 50-60 workstations that they can log
on
to (10-20 per user account, but it would be OK to give them access to
all
50-60 workstations, since they are at different locations and will
never
be
able to log on to those outside their site anyway). Managing this is a
mess
as the list of PCs they can log on to changes (PCs are added to or
removed
from service).

Seems like putting all the restricted users in one OU, with the
restricted
computers that they can access in another OU, and limit their access
via
group policy? I understand GPOs, but don't know what GPO to use/create
or
if
this is the best approach.
Any ideas greatly appreciated!!

<>





.

Relevant Pages

  • Re: User Login
    ... the user account will be able to logon remotely even though they ... the domain group called Domain Users is a member of the local ... Users group on all computers; this is usually why any domain user can ... put those user accounts into domain group and apply a GPO to the OU ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reinstall everytime assigned applications through GPO on start
    ... Software installation extension has been called for background policy refresh ... Stations - R&D Software (EMEA computers). ... Stations - R&D Software (EMEA computers) is set for installation because it ... The assignment of application Remote Administrator v2.1 from policy Software ...
    (microsoft.public.windows.group_policy)
  • Re: User Login
    ... For a domain user account to be used to logon at a domain member, that user account must have the "logon locally" right. ... the domain group called Domain Users is a member of the local Users group on all computers; this is usually why any domain user can logon at any domin member computer. ... Policies, User Rights Assignment, Deny log on locally - add the group containing the "email only" user accounts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Control User Access in SBS2000 Domain
    ... Security Policy on those computers and check the user right for logon ... > new XP Professional computers which have been added to the domain ...
    (microsoft.public.win2000.security)
  • Best location for policies
    ... and an OU for User Accounts. ... TSServer OU since I have a separate policy for TS users. ... I have 2 policies: one for Our Computers OU - it has a few ... I am not sure what's the best way to organize policies. ...
    (microsoft.public.win2000.security)