Re: Blocking log-ons to specific computers by specific users
- From: "Marcin" <marcin@xxxxxxxxxxxxxxxx>
- Date: Wed, 22 Apr 2009 22:47:32 -0400
JR - one more remark - keep in mind that group policies do not apply to
Windows 98 systems - which actually is another argument for using the method
recommended by Isaac..
hth
Marcin
"Marcin" <marcin@xxxxxxxxxxxxxxxx> wrote in message
news:etEYvj6wJHA.4104@xxxxxxxxxxxxxxxxxxxxxxx
JR,
this seems to be a popular topic lately - check a similar post from Kim
dated 4/21.
In essence, Isaac's advice (and others from the previous post) is likely
the most efficient approach - although it is intended for scenarios where
you want to limit number of computers that individual users can use to log
on interactively - which might not be necessarily what you are trying to
accomplish.
If this happens to be the case, you could consider utilizing the "Allow
logon locallly" user right (rather than "Deny log on locally" by limiting
it to designated non-privileged group (GroupA in your example) for target
computers. As I have mentioned earlier, you should review
http://support.microsoft.com/kb/823659 regarding potential implications -
and test before applying this change in production. Note though that using
this method on per-computer basis still introduces considerable management
overhead (security group filtering plus having a large number of GPOs) -
so this approach would be more appropriate if you have designated groups
of computers with groups of users assigned to each...
hth
Marcin
"JR Raith" <james.raithiii@xxxxxxxxxxxx> wrote in message
news:ONSb6o3wJHA.5672@xxxxxxxxxxxxxxxxxxxxxxx
Hi Again,
I've been pulling my hair out trying to get a GPO going to block specific
users from logging in to specific computers, but it just doesn't seem to
be working. It's a 2003 Server and workstations ranging from Win98 to
WinXP.
I've been testing mostly on a Win2k client as that should work most
easily.
It seems ridiculous that I would have to add in every single group to the
"Deny Local Log-on" policy... I also seem to have trouble figuring out
where or how to apply a policy to a specific computer.
Ideally, I'd like to say "Users in Group A are allowed to log on to
Computer 1; all other users are denied." I'd hate to have to add more
than a dozen groups or so to the Deny List before setting this up for all
of the various computers became really, really tedious... Is there a
better way?
Thanks and sorry for the newbie question.
J.R.
.
- References:
- Blocking log-ons to specific computers by specific users
- From: JR Raith
- Re: Blocking log-ons to specific computers by specific users
- From: Marcin
- Blocking log-ons to specific computers by specific users
- Prev by Date: Re: Size limit on netlogon
- Next by Date: Re: error ERROR_TIMEOUT
- Previous by thread: Re: Blocking log-ons to specific computers by specific users
- Next by thread: Re: Blocking log-ons to specific computers by specific users
- Index(es):
Relevant Pages
|
