Solved

Resticing Domain Logons in Departments

Posted on 2002-07-20
10
324 Views
Last Modified: 2010-04-11
I currently have a network with two Win2K Servers, set up for to host the domain called 'network' for around 100 XP Pro Workstations.
Within the company I Have 6 Departments (Accounts, Graphics, Technical etc..) with 10-25 PC's in each. Currently all users have their own username and romain profile and can log onto any PC in the building.
Is there a way of restriciting the logons so that people in the accounts department can log onto the PC's in the Techncial Department. I have arleady tried to restrict logons in the user properites in AD Users & Computers but this is limited. I have thought about setting up multiple domains but this would incurr much cost and time and seems a large task for such a little question.

Any help would be appreciated.
0
Comment
Question by:philharle
10 Comments
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7166726
Do you have OU's setup?
http://www.jsiinc.com/sube/tip2200/rh2214.htm
Have you checked out restricted groups
http://www.jsiinc.com/subg/tip3200/rh3251.htm
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7167248
" I have arleady tried to restrict logons in the user properites in AD Users & Computers but this is limited."

You say this is limited. What is limited? What are trying to do that is cannot?
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7167249
Sorry, I meant to say
"You say this is limited. What is limited? What are you trying to do that this cannot?"
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 3

Expert Comment

by:Comply
ID: 7167279
You setup roaming profiles, So you will have to setup a new Doamain and [Not use Roaming Profiles] One reason most Admins never use it is just your case.
0
 

Author Comment

by:philharle
ID: 7167645
The properties in AD Users and Computers limits you to entering 10 computers. In some departments I need users to have access to up to 25 computers.

Comply- Im not sure i understand what you're getting at. Why do i need to disble romaing profiles. SInce currently they are working fine.
0
 

Expert Comment

by:eheston
ID: 7168582
On each PC, go to Admin Tools, local security policy, user rights.  Edit Log on Locally to include ONLY Administrators, Domain Admins, and Accounts
Group(or whichever departmental DOMAIN group is appropriate).

This may seem like alot of work, but once all of the workstations are setup it won't be.  Once you add a user to the appropriate departmental group, they will be able to logon to any machine in their department.

There maybe a better way to do this, but this is the best I can think of off the top of my head.  It should accomplish your objective and shouldn't interfere at all with your roaming profiles.  Please test thoroughly, especially on the first couple of computers.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7168587
In AD you can place each computer in a new OU that represents the Department.

Then create a GPO for each department OU restricting the user right "Logon on interactively" only to the people in that department.
0
 
LVL 7

Accepted Solution

by:
jmiller47 earned 50 total points
ID: 7168589
"In AD you can place each computer in a new OU that represents the Department."

Should read "represents EACH deaprtment". You should create a new OU for each department if you haven't already. Place your computer object in it's corresponding departmental OU.
0
 

Author Comment

by:philharle
ID: 7170288
--> jmiller
that sounds like the perfect solution since little admistration is required. i tried to set it up, an maybe its just me being blind burt i cant find the setting for 'logon intercativly' in the new GPO. All i can find is 'logon locally' which i assume isnt what is needed. Could you point me in the right direction please.

Thanks!!!
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7170317
My bad. I believe "log on interactively" was an old NT4 user right. Use the Log on Locally right. That should be what you are looking for.

Set up a few workstations using this policy and test it before going all out to ensure that it is working for you properly in your situation.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
md5 password 3 61
Trouble enabling network for Hyper-V client 10 31
Switch ports not working 8 32
Internet Service Provider 3 49
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question