Re: allow 1 user to logon ONLY to 1ou

The thing with Group Policies and OU's is that you have to have a logical structure. If you want a user to log on to all except X, how are you going to define X? If you want a user to log on to only Y, how will you define Y?
As you say, you can add computers to the logon list in the user's account, but you can't put the OU name in there,
Anthony
http://www.airdesk.com


"Caesar" <Caesar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:20E5A154-0C77-46A4-BCF6-16365FD35980@xxxxxxxxxxxxxxxx
Anthony,

First of all, thank you for your help, however I wanted to avoid that in the
case of other OU's being added and it would be more work to set up. We want
the simplest seeming solution. I know in AD there is an option to add the
only computers a user is allowed to login to. Can I put the OU name(s) in
there that I want tohe user to login to? If so what would I use for the name?

"Anthony [MVP]" wrote:

Then you would create a "Deny Logon locally" policy for this user and apply
it to all computers except the 30.
Anthony,
http://www.airdesk.com


"Caesar" <Caesar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5E88589A-8A2C-452F-A607-6A8A7DBD455A@xxxxxxxxxxxxxxxx
> Yes,
>
> I have 1 user that I want to ONLY log into say 30 machines. So for > example
> I
> want "IS_user" to only be able to logon to the "public computers" of > the
> Athletics Dept. Can I do a "Deny Login" at the highest level of my AD > and
> then gice it "log on locally" to that one group only? So that user > can't
> log
> in to the Finance Dept machines ot any other department.
>
> If so how long will it take to push through the Group Policy because I
> tried
> it before and it didn't deny it at all. Maybe I didn't save it > correctly
> or
> execute the GPO. Please do not be afraid to talk me through baby steps > as
> I
> am not very skilled in GPO editing.
>
> A sample of my AD structure is this
>
> School.edu
> -All Accounts
> -computers
> -contacts
> -departments
> -Athletics
> -dept computers
> -email accounts
> -faculty
> -public computers
> -private computers
> -staff
> -finance
> -dept computers
> -email accounts
> -faculty
> -public computers
> -private computers
> -staff
> -IT
> -dept computers
> -email accounts
> -faculty
> -public computers
> -private computers
> -staff
> -ALL Groups
> -BuiltIn
> -Computers
>
> "Anthony [MVP]" wrote:
>
>> Basically your problem is that by default the domain user can log onto
>> computers.
>> Depending on exactly what you need to do, you can user the Group >> Policy
>> Computer Configuration, User Rights Assignment to control this. You >> can
>> either permit or deny to log on locally.
>> For example, on all OU's except the ones you want, you can add the >> user
>> to
>> the Deny Logon Locally policy.
>> Hope that helps,
>> Anthony,
>> http://blogs.airdesk.com/airdesk
>>
>>
>>
>> Create a policy
>>
>> "Caesar" <Caesar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:AD30A93F-1D18-45B6-B41C-AD5CE4457374@xxxxxxxxxxxxxxxx
>> > I have 1 user named "IA_User" that needs to logon to the 15 or so
>> > machines
>> > inside of 1 or 2 OUs on my network. I have probably another 100 OUs >> > of
>> > computers that we do not want this use to be able to logon to.
>> >
>> > I don't want to us the "Logon To" button in AD because if the >> > computers
>> > get
>> > added or deleted (moved) we don't want to have to change the >> > settings
>> > in
>> > AD
>> > each time as that would get messy. I am also thinking that once >> > done
>> > we
>> > may
>> > get more requests so I don't want to have to manually check 50 >> > accounts
>> > everytime a computer gets added or pulled off the network.
>> >
>> > thanks
>>
>>

.