Solved

How to restrict users to any computer within OU using Group Policy

Posted on 2004-04-13
20
676 Views
Last Modified: 2008-02-01
Hello to all.

Running Active Directory on our Win2003 server. I have a particular OU that contains about 25 users and 50 computers. I want to restrict those 25 users so they can *only* log onto the 50 computers in that OU (currently, any domain user can log onto any domain client).

None of these users have Roaming Profiles. Moreover, I am familiar with the LOG ON TO feature for each user account, but I was hoping there was a way to manage this via Group Policy for that OU.

Thank you in advance for your insight.
0
Comment
Question by:CrimeScene
  • 6
  • 5
  • 3
  • +2
20 Comments
 
LVL 11

Expert Comment

by:kabaam
Comment Utility
1. create a user group containing the users you want restricted.
2. edit the GPO for the OU.  On the same group policy tab... click properties.
    a) navigate to the following setting.
        click to expand ' computer configuration'
        click to expand ' windows settings '
        click to expand ' security settings '
        click to expand ' local policies '
        click to expand ' user right assignment'
          in the right hand frame ' select deny local logon'
          change the settings to include the group you created in step 1

0
 
LVL 11

Expert Comment

by:kabaam
Comment Utility
oops.. forgot  a step.  You need to create an OU that will hold all computers NOT in the original OU and edit that GPO
0
 

Author Comment

by:CrimeScene
Comment Utility
Kabaam,

Please clarify: does your suggestion restrict users in [user group] so they may only log onto computers that exist within the specific OU whose GP is configured as you instructed ... but these same users will not be able to log onto a computer (for example) in our executive area (executive computers are in the original OU that comes with AD).

Thank you for clarifying.
0
 
LVL 11

Expert Comment

by:kabaam
Comment Utility

The users in the group you created will not be authorized to locally log on to the computers added to the OU that you use.
0
 

Author Comment

by:CrimeScene
Comment Utility
If I understood you correct, then your suggestion does not satisfy what I am trying to accomplish. Please correct me if I am wrong.

For clarification, no one in my organization logs in "locally" to any client; they can only log into a client using their domain account. With that said, I now want to restrict a particular group of users to a particular group of computers.

--For example, let's say my building has 3 floors.
--I have grouped all users and all computers from each floor into their own OU; floor_1, floor_2 and floor_3 respectively.
--I have also added the users on the 1st floor into their own Security Group called "1st_floor", and similarly for the other 2 floors.

Using Group Policy, I now wish to restrict users in the "1st_floor" group from logging into computers located in the "floor_2" and "floor_3" OU.

Is this possible and, if so, how do I accomplish this?

Thank you!
0
 
LVL 1

Expert Comment

by:FunkMasterWeb
Comment Utility
There must be a solution!
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 125 total points
Comment Utility
CrimeScene

You need to set the logon locally security right - which as you know is done with group policy on the machine policy node.
Windows Settings\Security Settings\Local Policies\User rights assignment - Allow log on locally

This setting can only be set with the machine policy so your OUs only need to contain workstation accounts as users in these OUs will be neatly ignored.

The rest of the work is done with security groups.

Lets call our department "Sales"
So, you should have a departmental OU called "Sales" containing a bunch of workstation accounts and a GPO with the above setting assigned to a local or domain local security group called "Sales Users" and at least the administrators group, for obvious reasons!.

Adding user accounts to the group "Sales" will allow them access to the machines controlled by that GPO.

To expand this to all departments you create a new GPO and corresponding group for each departmental OU and assign all your users to one or other are they will not be able to log on anywhere (which is not a bad thing in the security world!).

I actually do this here, it works fine and is not complex

Cheers

JamesDS
0
 
LVL 11

Expert Comment

by:kabaam
Comment Utility
Crimescene,
the suggestion I have provided will do what you are looking for.
when I saw 'log on locally'  it isn't talking about local accounts. It will restrict based on users from a domain group.
Locally log on says they can not enter in their username and password to access the machine.
If there are network shares on this computer where the users have permissions to... they can access them from the network but not while local at the machine.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 11

Expert Comment

by:kabaam
Comment Utility
CrimeScene,
Was that done by accident? did you want to accept that post as answer?  what's up ?
0
 

Author Comment

by:CrimeScene
Comment Utility
Yes sorry, first time here. However, JamesDS answered clarified prior to your answer, so you would only get split points if any.
0
 

Author Comment

by:CrimeScene
Comment Utility
That person gave me answer through mail.
0
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
What90
Given crimescenes comments, I think I might warrant at least a split.

It looks like although kabaams comments would have fixed the problem, crimescene did not understand. My comment aproaches the problem from a slightly different perspective and would appear to have been understood by crimescene.

So, both comments fix it but kabaam gets there first

kabaam - any thoughts?

I leave it to you to decide.

Cheers

JamesDS
0
 
LVL 20

Expert Comment

by:What90
Comment Utility
Hi JamesDS,

I was going to go with a split too, however the admin comment from AndyITsupport through me somewhat, especial since CrimeScene was happy with the result. I'm still a bit too fresh faced to annoy the Mods yet with challenges ;-)
Any chance of giving a brief highlight of how you sorted out the issue to round off the Question?


kabaam - what's the call on this? I didn't think JamesDS was grandstanding for points or bending any rules but AndyITsupport's comment seems pretty harsh in this case.


Ta.
0
 
LVL 11

Expert Comment

by:kabaam
Comment Utility
What90,
Andy's comment was refering to the answer that was previously accepted by the author.
Believe it or not, he originally closed this question while accepting http://#10820042 funkmasterweb.
I think this question was BS from the very begining and too fishy.  But, I do agree that James helped clearify the answer that I had already given therefore a split is a good idea in this one.

BTW, I was hoping to never see this question again... :-)
0
 

Author Comment

by:CrimeScene
Comment Utility
You people need to get a life, get out of your basement and meet REAL people.
0
 
LVL 16

Expert Comment

by:JamesDS
Comment Utility
CrimeScene
Maybe, but you need to RTFM. We don't.

JamesDS
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now