Solved

Resticing Domain Logons in Departments

Posted on 2002-07-20
10
329 Views
Last Modified: 2010-04-11
I currently have a network with two Win2K Servers, set up for to host the domain called 'network' for around 100 XP Pro Workstations.
Within the company I Have 6 Departments (Accounts, Graphics, Technical etc..) with 10-25 PC's in each. Currently all users have their own username and romain profile and can log onto any PC in the building.
Is there a way of restriciting the logons so that people in the accounts department can log onto the PC's in the Techncial Department. I have arleady tried to restrict logons in the user properites in AD Users & Computers but this is limited. I have thought about setting up multiple domains but this would incurr much cost and time and seems a large task for such a little question.

Any help would be appreciated.
0
Comment
Question by:philharle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7166726
Do you have OU's setup?
http://www.jsiinc.com/sube/tip2200/rh2214.htm
Have you checked out restricted groups
http://www.jsiinc.com/subg/tip3200/rh3251.htm
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7167248
" I have arleady tried to restrict logons in the user properites in AD Users & Computers but this is limited."

You say this is limited. What is limited? What are trying to do that is cannot?
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7167249
Sorry, I meant to say
"You say this is limited. What is limited? What are you trying to do that this cannot?"
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 3

Expert Comment

by:Comply
ID: 7167279
You setup roaming profiles, So you will have to setup a new Doamain and [Not use Roaming Profiles] One reason most Admins never use it is just your case.
0
 

Author Comment

by:philharle
ID: 7167645
The properties in AD Users and Computers limits you to entering 10 computers. In some departments I need users to have access to up to 25 computers.

Comply- Im not sure i understand what you're getting at. Why do i need to disble romaing profiles. SInce currently they are working fine.
0
 

Expert Comment

by:eheston
ID: 7168582
On each PC, go to Admin Tools, local security policy, user rights.  Edit Log on Locally to include ONLY Administrators, Domain Admins, and Accounts
Group(or whichever departmental DOMAIN group is appropriate).

This may seem like alot of work, but once all of the workstations are setup it won't be.  Once you add a user to the appropriate departmental group, they will be able to logon to any machine in their department.

There maybe a better way to do this, but this is the best I can think of off the top of my head.  It should accomplish your objective and shouldn't interfere at all with your roaming profiles.  Please test thoroughly, especially on the first couple of computers.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7168587
In AD you can place each computer in a new OU that represents the Department.

Then create a GPO for each department OU restricting the user right "Logon on interactively" only to the people in that department.
0
 
LVL 7

Accepted Solution

by:
jmiller47 earned 50 total points
ID: 7168589
"In AD you can place each computer in a new OU that represents the Department."

Should read "represents EACH deaprtment". You should create a new OU for each department if you haven't already. Place your computer object in it's corresponding departmental OU.
0
 

Author Comment

by:philharle
ID: 7170288
--> jmiller
that sounds like the perfect solution since little admistration is required. i tried to set it up, an maybe its just me being blind burt i cant find the setting for 'logon intercativly' in the new GPO. All i can find is 'logon locally' which i assume isnt what is needed. Could you point me in the right direction please.

Thanks!!!
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7170317
My bad. I believe "log on interactively" was an old NT4 user right. Use the Log on Locally right. That should be what you are looking for.

Set up a few workstations using this policy and test it before going all out to ensure that it is working for you properly in your situation.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month8 days, 22 hours left to enroll

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question