CrimeScene
asked on
How to restrict users to any computer within OU using Group Policy
Hello to all.
Running Active Directory on our Win2003 server. I have a particular OU that contains about 25 users and 50 computers. I want to restrict those 25 users so they can *only* log onto the 50 computers in that OU (currently, any domain user can log onto any domain client).
None of these users have Roaming Profiles. Moreover, I am familiar with the LOG ON TO feature for each user account, but I was hoping there was a way to manage this via Group Policy for that OU.
Thank you in advance for your insight.
Running Active Directory on our Win2003 server. I have a particular OU that contains about 25 users and 50 computers. I want to restrict those 25 users so they can *only* log onto the 50 computers in that OU (currently, any domain user can log onto any domain client).
None of these users have Roaming Profiles. Moreover, I am familiar with the LOG ON TO feature for each user account, but I was hoping there was a way to manage this via Group Policy for that OU.
Thank you in advance for your insight.
oops.. forgot a step. You need to create an OU that will hold all computers NOT in the original OU and edit that GPO
ASKER
Kabaam,
Please clarify: does your suggestion restrict users in [user group] so they may only log onto computers that exist within the specific OU whose GP is configured as you instructed ... but these same users will not be able to log onto a computer (for example) in our executive area (executive computers are in the original OU that comes with AD).
Thank you for clarifying.
Please clarify: does your suggestion restrict users in [user group] so they may only log onto computers that exist within the specific OU whose GP is configured as you instructed ... but these same users will not be able to log onto a computer (for example) in our executive area (executive computers are in the original OU that comes with AD).
Thank you for clarifying.
The users in the group you created will not be authorized to locally log on to the computers added to the OU that you use.
ASKER
If I understood you correct, then your suggestion does not satisfy what I am trying to accomplish. Please correct me if I am wrong.
For clarification, no one in my organization logs in "locally" to any client; they can only log into a client using their domain account. With that said, I now want to restrict a particular group of users to a particular group of computers.
--For example, let's say my building has 3 floors.
--I have grouped all users and all computers from each floor into their own OU; floor_1, floor_2 and floor_3 respectively.
--I have also added the users on the 1st floor into their own Security Group called "1st_floor", and similarly for the other 2 floors.
Using Group Policy, I now wish to restrict users in the "1st_floor" group from logging into computers located in the "floor_2" and "floor_3" OU.
Is this possible and, if so, how do I accomplish this?
Thank you!
For clarification, no one in my organization logs in "locally" to any client; they can only log into a client using their domain account. With that said, I now want to restrict a particular group of users to a particular group of computers.
--For example, let's say my building has 3 floors.
--I have grouped all users and all computers from each floor into their own OU; floor_1, floor_2 and floor_3 respectively.
--I have also added the users on the 1st floor into their own Security Group called "1st_floor", and similarly for the other 2 floors.
Using Group Policy, I now wish to restrict users in the "1st_floor" group from logging into computers located in the "floor_2" and "floor_3" OU.
Is this possible and, if so, how do I accomplish this?
Thank you!
There must be a solution!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Crimescene,
the suggestion I have provided will do what you are looking for.
when I saw 'log on locally' it isn't talking about local accounts. It will restrict based on users from a domain group.
Locally log on says they can not enter in their username and password to access the machine.
If there are network shares on this computer where the users have permissions to... they can access them from the network but not while local at the machine.
the suggestion I have provided will do what you are looking for.
when I saw 'log on locally' it isn't talking about local accounts. It will restrict based on users from a domain group.
Locally log on says they can not enter in their username and password to access the machine.
If there are network shares on this computer where the users have permissions to... they can access them from the network but not while local at the machine.
CrimeScene,
Was that done by accident? did you want to accept that post as answer? what's up ?
Was that done by accident? did you want to accept that post as answer? what's up ?
ASKER
Yes sorry, first time here. However, JamesDS answered clarified prior to your answer, so you would only get split points if any.
ASKER
That person gave me answer through mail.
What90
Given crimescenes comments, I think I might warrant at least a split.
It looks like although kabaams comments would have fixed the problem, crimescene did not understand. My comment aproaches the problem from a slightly different perspective and would appear to have been understood by crimescene.
So, both comments fix it but kabaam gets there first
kabaam - any thoughts?
I leave it to you to decide.
Cheers
JamesDS
Given crimescenes comments, I think I might warrant at least a split.
It looks like although kabaams comments would have fixed the problem, crimescene did not understand. My comment aproaches the problem from a slightly different perspective and would appear to have been understood by crimescene.
So, both comments fix it but kabaam gets there first
kabaam - any thoughts?
I leave it to you to decide.
Cheers
JamesDS
Hi JamesDS,
I was going to go with a split too, however the admin comment from AndyITsupport through me somewhat, especial since CrimeScene was happy with the result. I'm still a bit too fresh faced to annoy the Mods yet with challenges ;-)
Any chance of giving a brief highlight of how you sorted out the issue to round off the Question?
kabaam - what's the call on this? I didn't think JamesDS was grandstanding for points or bending any rules but AndyITsupport's comment seems pretty harsh in this case.
Ta.
I was going to go with a split too, however the admin comment from AndyITsupport through me somewhat, especial since CrimeScene was happy with the result. I'm still a bit too fresh faced to annoy the Mods yet with challenges ;-)
Any chance of giving a brief highlight of how you sorted out the issue to round off the Question?
kabaam - what's the call on this? I didn't think JamesDS was grandstanding for points or bending any rules but AndyITsupport's comment seems pretty harsh in this case.
Ta.
What90,
Andy's comment was refering to the answer that was previously accepted by the author.
Believe it or not, he originally closed this question while accepting http://#10820042 funkmasterweb.
I think this question was BS from the very begining and too fishy. But, I do agree that James helped clearify the answer that I had already given therefore a split is a good idea in this one.
BTW, I was hoping to never see this question again... :-)
Andy's comment was refering to the answer that was previously accepted by the author.
Believe it or not, he originally closed this question while accepting http://#10820042 funkmasterweb.
I think this question was BS from the very begining and too fishy. But, I do agree that James helped clearify the answer that I had already given therefore a split is a good idea in this one.
BTW, I was hoping to never see this question again... :-)
ASKER
You people need to get a life, get out of your basement and meet REAL people.
CrimeScene
Maybe, but you need to RTFM. We don't.
JamesDS
Maybe, but you need to RTFM. We don't.
JamesDS
2. edit the GPO for the OU. On the same group policy tab... click properties.
a) navigate to the following setting.
click to expand ' computer configuration'
click to expand ' windows settings '
click to expand ' security settings '
click to expand ' local policies '
click to expand ' user right assignment'
in the right hand frame ' select deny local logon'
change the settings to include the group you created in step 1