Solved

How do I use Group Policy to restrict a Security Group to only be able to log onto computers in a particular OU?

Posted on 2004-04-13
12
442 Views
Last Modified: 2010-04-19
Kindly review my post in its entirety before answering.

I’m running Active Directory on a Win2003 server that is our internal DC. At the current moment, any domain user can log onto any client pc that was previously joined to our domain.

For clarification, none of my users have Roaming Profiles, nor do these users log in "locally" to any client; they can only log in using their domain account. Moreover, I am familiar with the "LOG ON TO" setting on the user account, but I was hoping there was a way to manage this via Group Policy for the entire OU.

With that said, I now want to restrict a particular group of users to a particular group of computers.
--For example, let's say my building has 3 floors.
--I have grouped all users and all computers from each floor into their own OU; floor_1, floor_2 and floor_3 respectively.
--I have also added the users on the 1st floor into their own Security Group called "1st_floor", and similarly for the other 2 floors.

Using Group Policy, I now wish to restrict users in the "1st_floor" security group from logging into computers located in the "floor_2" and "floor_3" OU.

Is this possible and, if so, how do I accomplish this?
Thank you in advance for your insight.
0
Comment
Question by:FunkMasterWeb
  • 5
  • 2
  • 2
  • +1
12 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 250 total points
ID: 10820709
FunkMasterWeb

I take it then that this did not solve your problem:
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_20952539.html

You need to set the logon locally security right - which as you know is done with group policy on the machine policy node.
Windows Settings\Security Settings\Local Policies\User rights assignment - Allow log on locally

This setting can only be set with the machine policy so your OUs only need to contain workstation accounts as users in these OUs will be neatly ignored.

The rest of the work is done with security groups.

Lets call our department "Sales"
So, you should have a departmental OU called "Sales" containing a bunch of workstation accounts and a GPO with the above setting assigned to a local or domain local security group called "Sales Users" and at least the administrators group, for obvious reasons!.

Adding user accounts to the group "Sales" will allow them access to the machines controlled by that GPO.

To expand this to all departments you create a new GPO and corresponding group for each departmental OU and assign all your users to one or other are they will not be able to log on anywhere (which is not a bad thing in the security world!).

I actually do this here, it works fine and is not complex

Cheers

JamesDS
0
 
LVL 1

Author Comment

by:FunkMasterWeb
ID: 10839100
JamesDS,

I'm not related to other question, just had similar question and the wording fit.

I will try your solution in the next day or so. If it works, I will accept your answer.

By the way, how long do I have to accept an answer? Will this website ever close an open question and/or award points without my interaction?

Thanks.
0
 
LVL 1

Author Comment

by:FunkMasterWeb
ID: 10839141
By the way, since GP can redirect the desktop folder, can it also be used to dictate the settings found in WinXP under MY COMPUTER, PROPERTIES, ADVANCED, PERFORMANCE SETTINGS?  I'd like to disable all that "fisher price" curves and colors crap that is enabled by default with WinXP.
0
 
LVL 11

Expert Comment

by:kabaam
ID: 10839144
yes.... 21 days of no comments is the standard but... no one is there to stare every question down to find out when.
I would guess a good month or two is safe.  I regular post of two will be made for comments from all parties before closing the question.
see this example if you wish
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_20560330.html

note that the example question is a year old and just being "cleaned"
0
 
LVL 20

Expert Comment

by:What90
ID: 10839212
FunkMasterWeb,

Why not just use the GPO to disable user's access to the Display panel. Saves me loads of trouble!
;-)
Here's Ms word on it and how :
www.microsoft.com/.../ doc/tre_nt/Module%204%20-%20Group%20Policy%20in%20Windows%20Server%202003.ppt
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:FunkMasterWeb
ID: 10844675
WHAT90 -- can't read your URL.
KABAAM -- are you the same person as JamesDS?

ANYONE --
Since GP can redirect the desktop folder, can it also be used to dictate the settings found in WinXP under MY COMPUTER, PROPERTIES, ADVANCED, PERFORMANCE SETTINGS?  I'd like to disable all that "fisher price" curves and colors crap that is enabled by default with WinXP.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10844749
FunkMasterWeb

Firstly, I am not Kabaam - I wish I had his patience.

Secondly the solution I posted does fix your problem as I do the exact thing here

Lastly, I believe you have already posted your "fisher price" question elsewhere

Cheers

JamesDS
0
 
LVL 11

Expert Comment

by:kabaam
ID: 10844779
FMW,
What is your goal here?  Something does not look right.  As James pointed out above, this the exact same question as posted by CrimeScene, now you are posting an exact copy of another open question in the topic area.  
It appears to me that you are reasking questions to get the answers to post in the original question.  
I am confused by your motives here.
0
 
LVL 1

Author Comment

by:FunkMasterWeb
ID: 10850893
KABAAM -- not sure who you are or why you're posting non-answers to my post. But thanks for clarifying my off-topic question.

AndyITsupport -- I don't know what you're talking about, as I only have one account. I do, however, browse for anwsers and often copy other people's wording if it suits me. Don't I have the right to do that?

JamesDS -- thanks for your solution.
0
 
LVL 1

Author Comment

by:FunkMasterWeb
ID: 10850909
Also, my "fisher price" questions appears twice within this very same question/post. So, in fact, you did see it twice. Am I not allowed to repeat a question within the same post either?
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Learn about cloud computing and its benefits for small business owners.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now