Solved

Resticing Domain Logons in Departments

Posted on 2002-07-20
10
326 Views
Last Modified: 2010-04-11
I currently have a network with two Win2K Servers, set up for to host the domain called 'network' for around 100 XP Pro Workstations.
Within the company I Have 6 Departments (Accounts, Graphics, Technical etc..) with 10-25 PC's in each. Currently all users have their own username and romain profile and can log onto any PC in the building.
Is there a way of restriciting the logons so that people in the accounts department can log onto the PC's in the Techncial Department. I have arleady tried to restrict logons in the user properites in AD Users & Computers but this is limited. I have thought about setting up multiple domains but this would incurr much cost and time and seems a large task for such a little question.

Any help would be appreciated.
0
Comment
Question by:philharle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 41

Expert Comment

by:stevenlewis
ID: 7166726
Do you have OU's setup?
http://www.jsiinc.com/sube/tip2200/rh2214.htm
Have you checked out restricted groups
http://www.jsiinc.com/subg/tip3200/rh3251.htm
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7167248
" I have arleady tried to restrict logons in the user properites in AD Users & Computers but this is limited."

You say this is limited. What is limited? What are trying to do that is cannot?
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7167249
Sorry, I meant to say
"You say this is limited. What is limited? What are you trying to do that this cannot?"
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 3

Expert Comment

by:Comply
ID: 7167279
You setup roaming profiles, So you will have to setup a new Doamain and [Not use Roaming Profiles] One reason most Admins never use it is just your case.
0
 

Author Comment

by:philharle
ID: 7167645
The properties in AD Users and Computers limits you to entering 10 computers. In some departments I need users to have access to up to 25 computers.

Comply- Im not sure i understand what you're getting at. Why do i need to disble romaing profiles. SInce currently they are working fine.
0
 

Expert Comment

by:eheston
ID: 7168582
On each PC, go to Admin Tools, local security policy, user rights.  Edit Log on Locally to include ONLY Administrators, Domain Admins, and Accounts
Group(or whichever departmental DOMAIN group is appropriate).

This may seem like alot of work, but once all of the workstations are setup it won't be.  Once you add a user to the appropriate departmental group, they will be able to logon to any machine in their department.

There maybe a better way to do this, but this is the best I can think of off the top of my head.  It should accomplish your objective and shouldn't interfere at all with your roaming profiles.  Please test thoroughly, especially on the first couple of computers.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7168587
In AD you can place each computer in a new OU that represents the Department.

Then create a GPO for each department OU restricting the user right "Logon on interactively" only to the people in that department.
0
 
LVL 7

Accepted Solution

by:
jmiller47 earned 50 total points
ID: 7168589
"In AD you can place each computer in a new OU that represents the Department."

Should read "represents EACH deaprtment". You should create a new OU for each department if you haven't already. Place your computer object in it's corresponding departmental OU.
0
 

Author Comment

by:philharle
ID: 7170288
--> jmiller
that sounds like the perfect solution since little admistration is required. i tried to set it up, an maybe its just me being blind burt i cant find the setting for 'logon intercativly' in the new GPO. All i can find is 'logon locally' which i assume isnt what is needed. Could you point me in the right direction please.

Thanks!!!
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7170317
My bad. I believe "log on interactively" was an old NT4 user right. Use the Log on Locally right. That should be what you are looking for.

Set up a few workstations using this policy and test it before going all out to ensure that it is working for you properly in your situation.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question