Re: allow 1 user to logon ONLY to 1ou
- From: Caesar <Caesar@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 16 Oct 2008 08:47:01 -0700
Yes,
I have 1 user that I want to ONLY log into say 30 machines. So for example I
want "IS_user" to only be able to logon to the "public computers" of the
Athletics Dept. Can I do a "Deny Login" at the highest level of my AD and
then gice it "log on locally" to that one group only? So that user can't log
in to the Finance Dept machines ot any other department.
If so how long will it take to push through the Group Policy because I tried
it before and it didn't deny it at all. Maybe I didn't save it correctly or
execute the GPO. Please do not be afraid to talk me through baby steps as I
am not very skilled in GPO editing.
A sample of my AD structure is this
School.edu
-All Accounts
-computers
-contacts
-departments
-Athletics
-dept computers
-email accounts
-faculty
-public computers
-private computers
-staff
-finance
-dept computers
-email accounts
-faculty
-public computers
-private computers
-staff
-IT
-dept computers
-email accounts
-faculty
-public computers
-private computers
-staff
-ALL Groups
-BuiltIn
-Computers
"Anthony [MVP]" wrote:
Basically your problem is that by default the domain user can log onto.
computers.
Depending on exactly what you need to do, you can user the Group Policy
Computer Configuration, User Rights Assignment to control this. You can
either permit or deny to log on locally.
For example, on all OU's except the ones you want, you can add the user to
the Deny Logon Locally policy.
Hope that helps,
Anthony,
http://blogs.airdesk.com/airdesk
Create a policy
"Caesar" <Caesar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AD30A93F-1D18-45B6-B41C-AD5CE4457374@xxxxxxxxxxxxxxxx
I have 1 user named "IA_User" that needs to logon to the 15 or so machines
inside of 1 or 2 OUs on my network. I have probably another 100 OUs of
computers that we do not want this use to be able to logon to.
I don't want to us the "Logon To" button in AD because if the computers
get
added or deleted (moved) we don't want to have to change the settings in
AD
each time as that would get messy. I am also thinking that once done we
may
get more requests so I don't want to have to manually check 50 accounts
everytime a computer gets added or pulled off the network.
thanks
- Follow-Ups:
- Re: allow 1 user to logon ONLY to 1ou
- From: Anthony [MVP]
- Re: allow 1 user to logon ONLY to 1ou
- References:
- allow 1 user to logon ONLY to 1ou
- From: Caesar
- Re: allow 1 user to logon ONLY to 1ou
- From: Anthony [MVP]
- allow 1 user to logon ONLY to 1ou
- Prev by Date: Clear deleted deployed printers
- Next by Date: Stale Setting location
- Previous by thread: Re: allow 1 user to logon ONLY to 1ou
- Next by thread: Re: allow 1 user to logon ONLY to 1ou
- Index(es):
