How to restrict users to any computer within OU using Group Policy

Hello to all.

Running Active Directory on our Win2003 server. I have a particular OU that contains about 25 users and 50 computers. I want to restrict those 25 users so they can *only* log onto the 50 computers in that OU (currently, any domain user can log onto any domain client).

None of these users have Roaming Profiles. Moreover, I am familiar with the LOG ON TO feature for each user account, but I was hoping there was a way to manage this via Group Policy for that OU.

Thank you in advance for your insight.
CrimeSceneAsked:
Who is Participating?
 
JamesDSConnect With a Mentor Commented:
CrimeScene

You need to set the logon locally security right - which as you know is done with group policy on the machine policy node.
Windows Settings\Security Settings\Local Policies\User rights assignment - Allow log on locally

This setting can only be set with the machine policy so your OUs only need to contain workstation accounts as users in these OUs will be neatly ignored.

The rest of the work is done with security groups.

Lets call our department "Sales"
So, you should have a departmental OU called "Sales" containing a bunch of workstation accounts and a GPO with the above setting assigned to a local or domain local security group called "Sales Users" and at least the administrators group, for obvious reasons!.

Adding user accounts to the group "Sales" will allow them access to the machines controlled by that GPO.

To expand this to all departments you create a new GPO and corresponding group for each departmental OU and assign all your users to one or other are they will not be able to log on anywhere (which is not a bad thing in the security world!).

I actually do this here, it works fine and is not complex

Cheers

JamesDS
0
 
chadCommented:
1. create a user group containing the users you want restricted.
2. edit the GPO for the OU.  On the same group policy tab... click properties.
    a) navigate to the following setting.
        click to expand ' computer configuration'
        click to expand ' windows settings '
        click to expand ' security settings '
        click to expand ' local policies '
        click to expand ' user right assignment'
          in the right hand frame ' select deny local logon'
          change the settings to include the group you created in step 1

0
 
chadCommented:
oops.. forgot  a step.  You need to create an OU that will hold all computers NOT in the original OU and edit that GPO
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
CrimeSceneAuthor Commented:
Kabaam,

Please clarify: does your suggestion restrict users in [user group] so they may only log onto computers that exist within the specific OU whose GP is configured as you instructed ... but these same users will not be able to log onto a computer (for example) in our executive area (executive computers are in the original OU that comes with AD).

Thank you for clarifying.
0
 
chadCommented:

The users in the group you created will not be authorized to locally log on to the computers added to the OU that you use.
0
 
CrimeSceneAuthor Commented:
If I understood you correct, then your suggestion does not satisfy what I am trying to accomplish. Please correct me if I am wrong.

For clarification, no one in my organization logs in "locally" to any client; they can only log into a client using their domain account. With that said, I now want to restrict a particular group of users to a particular group of computers.

--For example, let's say my building has 3 floors.
--I have grouped all users and all computers from each floor into their own OU; floor_1, floor_2 and floor_3 respectively.
--I have also added the users on the 1st floor into their own Security Group called "1st_floor", and similarly for the other 2 floors.

Using Group Policy, I now wish to restrict users in the "1st_floor" group from logging into computers located in the "floor_2" and "floor_3" OU.

Is this possible and, if so, how do I accomplish this?

Thank you!
0
 
FunkMasterWebCommented:
There must be a solution!
0
 
chadCommented:
Crimescene,
the suggestion I have provided will do what you are looking for.
when I saw 'log on locally'  it isn't talking about local accounts. It will restrict based on users from a domain group.
Locally log on says they can not enter in their username and password to access the machine.
If there are network shares on this computer where the users have permissions to... they can access them from the network but not while local at the machine.
0
 
chadCommented:
CrimeScene,
Was that done by accident? did you want to accept that post as answer?  what's up ?
0
 
CrimeSceneAuthor Commented:
Yes sorry, first time here. However, JamesDS answered clarified prior to your answer, so you would only get split points if any.
0
 
CrimeSceneAuthor Commented:
That person gave me answer through mail.
0
 
JamesDSCommented:
What90
Given crimescenes comments, I think I might warrant at least a split.

It looks like although kabaams comments would have fixed the problem, crimescene did not understand. My comment aproaches the problem from a slightly different perspective and would appear to have been understood by crimescene.

So, both comments fix it but kabaam gets there first

kabaam - any thoughts?

I leave it to you to decide.

Cheers

JamesDS
0
 
What90Commented:
Hi JamesDS,

I was going to go with a split too, however the admin comment from AndyITsupport through me somewhat, especial since CrimeScene was happy with the result. I'm still a bit too fresh faced to annoy the Mods yet with challenges ;-)
Any chance of giving a brief highlight of how you sorted out the issue to round off the Question?


kabaam - what's the call on this? I didn't think JamesDS was grandstanding for points or bending any rules but AndyITsupport's comment seems pretty harsh in this case.


Ta.
0
 
chadCommented:
What90,
Andy's comment was refering to the answer that was previously accepted by the author.
Believe it or not, he originally closed this question while accepting http://#10820042 funkmasterweb.
I think this question was BS from the very begining and too fishy.  But, I do agree that James helped clearify the answer that I had already given therefore a split is a good idea in this one.

BTW, I was hoping to never see this question again... :-)
0
 
CrimeSceneAuthor Commented:
You people need to get a life, get out of your basement and meet REAL people.
0
 
JamesDSCommented:
CrimeScene
Maybe, but you need to RTFM. We don't.

JamesDS
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.