Resticing Domain Logons in Departments

I currently have a network with two Win2K Servers, set up for to host the domain called 'network' for around 100 XP Pro Workstations.
Within the company I Have 6 Departments (Accounts, Graphics, Technical etc..) with 10-25 PC's in each. Currently all users have their own username and romain profile and can log onto any PC in the building.
Is there a way of restriciting the logons so that people in the accounts department can log onto the PC's in the Techncial Department. I have arleady tried to restrict logons in the user properites in AD Users & Computers but this is limited. I have thought about setting up multiple domains but this would incurr much cost and time and seems a large task for such a little question.

Any help would be appreciated.
philharleAsked:
Who is Participating?
 
jmiller47Connect With a Mentor Commented:
"In AD you can place each computer in a new OU that represents the Department."

Should read "represents EACH deaprtment". You should create a new OU for each department if you haven't already. Place your computer object in it's corresponding departmental OU.
0
 
stevenlewisCommented:
Do you have OU's setup?
http://www.jsiinc.com/sube/tip2200/rh2214.htm
Have you checked out restricted groups
http://www.jsiinc.com/subg/tip3200/rh3251.htm
0
 
jmiller47Commented:
" I have arleady tried to restrict logons in the user properites in AD Users & Computers but this is limited."

You say this is limited. What is limited? What are trying to do that is cannot?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
jmiller47Commented:
Sorry, I meant to say
"You say this is limited. What is limited? What are you trying to do that this cannot?"
0
 
ComplyCommented:
You setup roaming profiles, So you will have to setup a new Doamain and [Not use Roaming Profiles] One reason most Admins never use it is just your case.
0
 
philharleAuthor Commented:
The properties in AD Users and Computers limits you to entering 10 computers. In some departments I need users to have access to up to 25 computers.

Comply- Im not sure i understand what you're getting at. Why do i need to disble romaing profiles. SInce currently they are working fine.
0
 
ehestonCommented:
On each PC, go to Admin Tools, local security policy, user rights.  Edit Log on Locally to include ONLY Administrators, Domain Admins, and Accounts
Group(or whichever departmental DOMAIN group is appropriate).

This may seem like alot of work, but once all of the workstations are setup it won't be.  Once you add a user to the appropriate departmental group, they will be able to logon to any machine in their department.

There maybe a better way to do this, but this is the best I can think of off the top of my head.  It should accomplish your objective and shouldn't interfere at all with your roaming profiles.  Please test thoroughly, especially on the first couple of computers.
0
 
jmiller47Commented:
In AD you can place each computer in a new OU that represents the Department.

Then create a GPO for each department OU restricting the user right "Logon on interactively" only to the people in that department.
0
 
philharleAuthor Commented:
--> jmiller
that sounds like the perfect solution since little admistration is required. i tried to set it up, an maybe its just me being blind burt i cant find the setting for 'logon intercativly' in the new GPO. All i can find is 'logon locally' which i assume isnt what is needed. Could you point me in the right direction please.

Thanks!!!
0
 
jmiller47Commented:
My bad. I believe "log on interactively" was an old NT4 user right. Use the Log on Locally right. That should be what you are looking for.

Set up a few workstations using this policy and test it before going all out to ensure that it is working for you properly in your situation.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.